CVE-2025-0627 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress Tag, Category, and Taxonomy Manager plugin versions prior to 3.30.0. This plugin manages tags, categories, and taxonomies within WordPress sites. The vulnerability arises because the plugin fails to properly sanitize and escape certain widget settings, allowing malicious scripts to be stored and executed in the context of the WordPress admin interface. Notably, the vulnerability can be exploited by users with high privileges, such as administrators, even when the 'unfiltered_html' capability is disabled, which is a common restriction in multisite WordPress configurations to limit HTML input. The attack requires user interaction, specifically the admin user accessing the affected widget or page where the malicious payload is stored. Exploitation could lead to the execution of arbitrary JavaScript code within the admin session, potentially allowing attackers to hijack admin accounts, steal cookies or tokens, or perform actions on behalf of the admin. The CVSS v3.1 base score is 3.5, indicating a low severity level, reflecting the requirement for high privileges and user interaction, as well as the limited impact on confidentiality and integrity. There are no known exploits in the wild at the time of publication, and no official patches or updates have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress sites with the Tag, Category, and Taxonomy Manager plugin, this vulnerability poses a risk primarily to site administrators and high-privilege users. If exploited, attackers could execute malicious scripts within the admin interface, potentially leading to session hijacking, unauthorized changes to site content or configuration, and exposure of sensitive administrative data. While the vulnerability requires admin-level access to exploit, it could be leveraged in scenarios where an attacker has already compromised a lower-privilege account or gained partial access, escalating their control. This risk is heightened in multisite WordPress deployments common in larger organizations, where the 'unfiltered_html' capability is often disabled to restrict content input, yet this vulnerability bypasses that safeguard. The impact on availability is minimal, but the integrity and confidentiality of administrative functions and data could be compromised. Given the widespread use of WordPress across European public sector, media, and commercial websites, exploitation could lead to defacement, data leakage, or further pivoting within organizational networks. However, the low CVSS score and lack of known exploits suggest the immediate risk is limited but should not be ignored.

1. Immediate mitigation involves restricting plugin usage to trusted administrators only and auditing current admin accounts for suspicious activity. 2. Disable or remove the WordPress Tag, Category, and Taxonomy Manager plugin until a patched version (3.30.0 or later) is available and applied. 3. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting script execution sources. 4. Regularly monitor WordPress logs and admin activity for unusual behavior indicative of exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting widget settings. 6. Educate administrators on the risks of stored XSS and encourage cautious handling of widget configurations and inputs. 7. For multisite deployments, review and tighten user privilege assignments to minimize the number of high-privilege users. 8. Once a patch is released, prioritize testing and deployment in staging environments before production rollout to ensure compatibility and security.