CVE-2025-0897 is a stored Cross-Site Scripting vulnerability classified under CWE-79, found in the 'Modal Window – create popup modal window' WordPress plugin developed by wpcalc. This plugin enables site administrators to create popup modal windows using shortcodes, including 'iframeBox'. The vulnerability exists due to improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied attributes within the 'iframeBox' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability affects all plugin versions up to and including 6.1.5. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites that use this plugin and allow contributor-level access to untrusted users. The lack of patches at the time of disclosure necessitates immediate mitigation steps.

The impact of CVE-2025-0897 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the vulnerability requires contributor-level access, the threat is elevated in environments where contributor roles are granted to less trusted users or where account compromise is possible. The scope change in the CVSS vector indicates that the attack can affect resources beyond the initially compromised component, potentially impacting the entire site or user base. Although availability is not directly affected, the reputational damage and potential data breaches can be severe. Organizations running WordPress sites with this plugin, especially those with multiple contributors or public-facing content, face increased risk of targeted attacks and exploitation by malicious insiders or external attackers who have gained contributor credentials.

1. Immediate mitigation involves restricting contributor-level access to trusted users only and auditing existing contributor accounts for suspicious activity. 2. Disable or remove the 'Modal Window – create popup modal window' plugin until a security patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'iframeBox' shortcode parameters. 4. Sanitize and validate all user inputs rigorously, especially those that can be embedded in shortcodes or HTML attributes. 5. Monitor logs for unusual script injections or changes to pages containing modal windows. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Once available, promptly apply official security patches from the plugin vendor. 8. Consider employing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 9. Regularly back up site content and configurations to enable recovery if exploitation occurs. 10. Conduct periodic security assessments focusing on plugin vulnerabilities and user privilege management.