The vulnerability identified as CVE-2025-0805 affects the 'Mortgage Calculator / Loan Calculator' WordPress plugin (mlcalc) in all versions up to and including 1.5.20. It is a stored cross-site scripting (XSS) flaw categorized under CWE-79, caused by improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes passed through its 'mlcalc' shortcode. This allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages or posts. When other users visit these pages, the injected scripts execute in their browsers under the context of the vulnerable site. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based with low complexity, requiring privileges of at least contributor level but no user interaction to trigger the payload. The scope is classified as changed, indicating that the vulnerability can affect resources beyond the initially compromised component. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses risks such as session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware through the affected WordPress sites.

This vulnerability can significantly impact organizations using the mlcalc plugin on WordPress sites, especially those that allow contributor-level users to create or edit content. Exploitation can lead to unauthorized script execution in the browsers of site visitors or administrators, potentially resulting in session hijacking, credential theft, defacement, or distribution of malicious payloads. The integrity and confidentiality of user data can be compromised, and trust in the affected website may be damaged. Although the availability impact is minimal, the changed scope means that the vulnerability could affect multiple users and site components beyond the initial injection point. Organizations with public-facing WordPress sites that rely on this plugin are at risk of reputational damage and potential regulatory consequences if user data is compromised. The medium CVSS score suggests a moderate level of urgency, but the ease of exploitation by authenticated users elevates the threat in environments with multiple contributors.

To mitigate this vulnerability, organizations should first check for any official patches or updates from the plugin vendor and apply them promptly once available. In the absence of a patch, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling the mlcalc plugin if it is not critical. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injection attempts targeting the mlcalc shortcode parameters can provide interim protection. Additionally, site administrators should audit existing content for injected scripts and remove any suspicious code. Employing strict Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting the sources from which scripts can be loaded. Regular security training for contributors to recognize and avoid unsafe input practices is also recommended. Finally, monitoring logs for unusual activity related to shortcode usage can help detect exploitation attempts early.