CVE-2025-10128 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-80, affecting the Eulerpool Research Systems plugin for WordPress. The vulnerability arises from improper neutralization of script-related HTML tags due to insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'aaq' shortcode. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, defacement, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 4.0.1 of the plugin. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet. The vulnerability was published on September 30, 2025, and assigned by Wordfence. The absence of patches at the time of reporting necessitates immediate mitigation steps to reduce risk.

For European organizations, this vulnerability poses a significant risk to websites running WordPress with the Eulerpool Research Systems plugin installed. Since exploitation requires contributor-level access, insider threats or compromised contributor accounts could lead to malicious script injection. The injected scripts can steal session cookies, perform unauthorized actions, or deface content, undermining user trust and potentially exposing sensitive information. This can lead to reputational damage, regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and financial losses. Organizations with public-facing websites or those relying on WordPress for content management are particularly vulnerable. The medium severity score indicates a moderate but actionable threat. The lack of known exploits suggests a window for proactive defense. However, the scope of impact is limited to sites using this specific plugin, which may be more prevalent in certain European markets. The vulnerability could be leveraged in targeted attacks against high-value organizations or sectors such as media, education, or government that use WordPress extensively.

1. Immediately audit WordPress installations to identify the presence of the Eulerpool Research Systems plugin and its version. 2. Restrict contributor-level access strictly to trusted users and review user roles to minimize the number of users with sufficient privileges to exploit this vulnerability. 3. Until an official patch is released, implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'aaq' shortcode parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Sanitize and validate all user inputs on the server side, especially those related to shortcode attributes, to prevent script injection. 6. Monitor logs and user activity for suspicious behavior indicative of exploitation attempts. 7. Once a patch is available, prioritize its deployment across all affected systems. 8. Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. 9. Consider temporarily disabling the vulnerable shortcode if feasible to eliminate the attack vector. 10. Regularly update WordPress and plugins to reduce exposure to known vulnerabilities.