CVE-2025-3832 FuseDesk

CVE-2025-3832 FuseDesk <= 6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via successredirect Parameter

April 24, 2025 invoker category_cve

Vulnerability Details

Basic Information

Title	CVE-2025-3832 FuseDesk <= 6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via successredirect Parameter
Type	cvelist
Published	2025-04-24T08:23:50
Last Seen	2025-04-24T08:44:17
CVSS Score	6.4 (MEDIUM)

CVSS v3 Details

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	NONE
Scope	CHANGED
Confidentiality Impact	LOW
Integrity Impact	LOW
Availability Impact	NONE

CVE Information

CVE IDs	CVE-2025-3832
CWE	CWE-79
Bulletin Family	cve

Description

The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Impact Assessment

Base Score	6.4
Severity	MEDIUM

View full CVE details