CVE-2025-28253

Name of the Vulnerable Software and Affected Versions MainWP MainWP Dashboard version 5.3.4

Description A Cross-Site Scripting (XSS) issue exists in the MainWP MainWP Dashboard, specifically in the class/class-mainwp-post-handler.php file. The problem arises from unsanitized user input from $ POST['sites'], $ POST['clients'], and $ POST['search'] being passed into the MainWP User::render table function. Despite the use of sanitize text field and wp unslash, the values are not adequately protected against HTML or script injection, allowing an attacker to inject malicious scripts.

Recommendations For MainWP MainWP Dashboard version 5.3.4, consider disabling the MainWP User::render table function or restricting the use of the class/class-mainwp-post-handler.php file until a patch is available. Additionally, avoid using the parameters $ POST['sites'], $ POST['clients'], and $ POST['search'] in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.