CVE-2025-4584
📋 TL;DR
The IRM Newsroom WordPress plugin has a stored cross-site scripting vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. This affects all WordPress sites using IRM Newsroom plugin versions up to 1.2.17.
💻 Affected Systems
- IRM Newsroom WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the website, or redirect visitors to malicious sites.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, perform phishing attacks, or redirect users to malicious content.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential data leakage from users viewing compromised pages.
🎯 Exploit Status
Exploitation requires authenticated access with at least contributor-level permissions. The vulnerability is in the 'irmeventlist' shortcode attribute handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.18 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/irm-newsroom/trunk/irm-newsroom.php#L494
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find IRM Newsroom plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.2.18+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level access from untrusted users until patch is applied.
Navigate to Users → All Users in WordPress admin, edit user roles to remove contributor access
Disable Plugin
allTemporarily disable the IRM Newsroom plugin if not essential.
Navigate to Plugins → Installed Plugins in WordPress admin, deactivate IRM Newsroom plugin
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Regularly audit user accounts and remove unnecessary contributor-level permissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins, look for IRM Newsroom plugin version 1.2.17 or earlier.Check Version:
wp plugin list --name=irm-newsroom --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify IRM Newsroom plugin shows version 1.2.18 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with 'irmeventlist' parameters
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Unexpected JavaScript payloads in WordPress page responses containing 'irmeventlist' attributes
SIEM Query:
source="wordpress.log" AND ("irmeventlist" OR "contributor" AND "login")