CVE-2025-10129 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WordPress Live Webcam Widget & Shortcode plugin developed by miksco. This vulnerability exists in all versions up to and including 1.2 due to insufficient sanitization and escaping of user-supplied attributes in the 'webcam' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts using the vulnerable shortcode. Because the injected script is stored persistently, it executes in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability requires authentication but no user interaction beyond viewing the infected page. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required at the contributor level. The vulnerability affects the confidentiality and integrity of user data but does not impact availability. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes.

The exploitation of this vulnerability can lead to significant security risks for organizations running WordPress sites with the affected plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially stealing authentication cookies, performing actions on behalf of users, or redirecting users to phishing or malware sites. This can result in account compromise, data leakage, defacement, or further malware infection. Since contributor roles are common in multi-author blogs and content management workflows, the attack surface is broad. The vulnerability undermines user trust and can damage brand reputation. Although it does not directly affect system availability, the integrity and confidentiality of user sessions and data are at risk. Organizations with high-value targets or sensitive user data are particularly vulnerable. The lack of a patch increases exposure duration, and the possibility of chained attacks leveraging this XSS to escalate privileges or deploy persistent malware is a concern.

Organizations should immediately audit their WordPress installations for the presence of the Live Webcam Widget & Shortcode plugin and assess user roles with contributor-level or higher privileges. Until an official patch is released, consider disabling or removing the plugin to eliminate the attack vector. Restrict contributor permissions to trusted users only and implement strict content review policies to detect malicious shortcode usage. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute patterns or script injections. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs and site content for unexpected changes or injected scripts. Educate content contributors about the risks of injecting untrusted code. Once a patch is available, apply it promptly. Additionally, consider implementing multi-factor authentication (MFA) for all authenticated users to reduce the impact of compromised accounts.