CVE-2025-5235 – The OpenSheetMusicDisplay WordPress plugin has ... (How to Fix)

Q: What is the severity of CVE-2025-5235?

CVE-2025-5235 has a CVSS score of 6.4 (MEDIUM). The OpenSheetMusicDisplay WordPress plugin has a stored XSS vulnerability in all versions up to 1.4.0. Authenticated attackers with Contributor access or higher can inject malicious scripts via the 'className' parameter, which execute when users view affected pages. This affects all WordPress sites using vulnerable versions of this plugin.

📋 TL;DR

The OpenSheetMusicDisplay WordPress plugin has a stored XSS vulnerability in all versions up to 1.4.0. Authenticated attackers with Contributor access or higher can inject malicious scripts via the 'className' parameter, which execute when users view affected pages. This affects all WordPress sites using vulnerable versions of this plugin.

💻 Affected Systems

Products:

OpenSheetMusicDisplay WordPress Plugin

Versions: All versions up to and including 1.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Contributor-level access or higher is needed for exploitation.

📦 What is this software?

Opensheetmusicdisplay by Opensheetmusicdisplay

View all CVEs affecting Opensheetmusicdisplay →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts to steal session cookies or redirect users to phishing pages.

🟢

If Mitigated

With proper input validation and output escaping, no script execution occurs, though malicious content may still be stored.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.4.0

Vendor Advisory: https://wordpress.org/plugins/opensheetmusicdisplay/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find OpenSheetMusicDisplay and click 'Update Now'. 4. Verify update to version after 1.4.0.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate opensheetmusicdisplay

Restrict User Roles

all

Limit contributor and author roles to trusted users only.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in className parameter
Regularly audit user accounts and remove unnecessary contributor/author roles

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for OpenSheetMusicDisplay version 1.4.0 or earlier.

Check Version:

wp plugin get opensheetmusicdisplay --field=version

Verify Fix Applied:

Verify plugin version is higher than 1.4.0 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin with className parameter containing script tags
Multiple failed login attempts followed by successful contributor login

Network Indicators:

Outbound connections to suspicious domains after visiting pages with sheet music content

SIEM Query:

source="wordpress.log" AND (className AND (script OR javascript OR onload OR onerror))

📊 Metadata

CVE ID: CVE-2025-5235

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17.7th percentile)

Published: May 30, 2025

Last Updated: June 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5235, you might also want to check these: