CVE-2025-5588

Published
View on NVD ↗
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT

Description

The Image Editor by Pixo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘download’ parameter in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Image Editor by Pixo
Image Editor by Pixo
<p><span class="embed-youtube" style="text-align:center; display: block;"><iframe loading="lazy" class="youtube-player" width="750" height="422" src="https://www.youtube.com/embed/CJN2zQezRls?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent" allowfullscreen="true" style="border:0;" sandbox="allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox"></iframe></span></p> <p><a href="https://pixoeditor.com" rel="nofollow ugc">Pixo</a> is cross-platform image editor. It can be integrated into any web app.</p> <p>This plugin does exactly this – it fully replaces WordPress&#8217; default image editor with this more powerful one, and integrates it into the front-end.</p> <p>Features:</p> <ul> <li>Remove Background</li> <li>Resize Image &amp; Upscale with high quality</li> <li>Instagram-like Filters</li> <li>Stock and custom Stickers (from file or URL)</li> <li>Rich Text editing</li> <li>Drawing</li> <li>Beautiful Photo Frames</li> <li>Shapes</li> <li>Image filesize optimization</li> <li>Batch editing (supported only in Media list view)</li> <li>Updates all posts where the image has been referenced</li> <li>Can attach to every file input field in the front-end!</li> <li>Crop, Flip, Rotate</li> <li>Color corrections (RGB, HSV, brightness/contrast, and more)</li> <li>Restore previous sessions and make changes to images (undo changes, update text, and more)</li> <li>Image optimization via <a href="https://tinypng.com" rel="nofollow ugc">TinyPNG</a></li> <li>Ability to choose to which image size to apply changes to (all, thumbnail, all except thumbnail)</li> <li>Supports Block Editor (Gutenberg)</li> <li>Supports Multisite</li> <li>Mobile-friendly</li> </ul> <p>Pixo is external service that requires registration. This plugin only wraps the service into WordPress and does the registration automatically for you. The registration is with your WordPress user&#8217;s email address and a randomly generated password. To change that password visit <a href="https://pixoeditor.com:8443/cp/#/forgotten-password" rel="nofollow ugc">the Control Panel</a>.</p> <p><a href="https://pixoeditor.com/privacy-policy/" rel="nofollow ugc">Pixo&#8217;s Privacy Policy</a></p>
WordPress Plugin DirectoryWordPress Plugin Directory
23.8K