The Eulerpool Research Systems plugin for WordPress suffers from a stored cross-site scripting vulnerability identified as CVE-2025-10128, classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags). This vulnerability exists in all versions up to and including 4.0.1 due to insufficient sanitization and escaping of user-supplied attributes in the plugin's 'aaq' shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users access these compromised pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deface content. The vulnerability is remotely exploitable over the network without requiring user interaction beyond page viewing. The CVSS 3.1 base score is 6.4, reflecting medium severity with low attack complexity and privileges required but no user interaction. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability's scope is limited to sites using this specific plugin, but the impact on confidentiality and integrity can be significant if exploited.

If exploited, this vulnerability can lead to unauthorized script execution in the context of the affected WordPress site, compromising user sessions and potentially allowing attackers to perform actions with the privileges of other users. This can result in data theft, unauthorized content modification, or further compromise of the website's integrity. For organizations, this could mean loss of customer trust, defacement of public-facing content, and potential exposure of sensitive information. Since the vulnerability requires authenticated access at contributor level or above, insider threats or compromised accounts increase risk. The absence of user interaction requirement means any user visiting the infected page is at risk. Although no known exploits exist currently, the medium severity score and ease of exploitation make this a credible threat to WordPress sites using the vulnerable plugin worldwide.

Organizations should immediately audit their WordPress installations to identify the presence of the Eulerpool Research Systems plugin and its version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack surface. Restrict contributor-level access strictly to trusted users and monitor for unusual activity or content changes. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting the 'aaq' shortcode. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly review and sanitize user-generated content and shortcode attributes. Additionally, maintain up-to-date backups to enable rapid recovery if exploitation occurs. Once a patch is available, apply it promptly to remediate the vulnerability.