CVE-2025-10129 is a stored cross-site scripting (XSS) vulnerability identified in the WordPress Live Webcam Widget & Shortcode plugin developed by miksco. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the 'webcam' shortcode. The flaw affects all versions up to and including 1.2. An attacker with contributor-level or higher privileges can exploit this by injecting arbitrary JavaScript code into the shortcode parameters, which is then stored and rendered on pages viewed by other users. Since the malicious script executes in the context of the victim's browser, it can lead to theft of session cookies, unauthorized actions on behalf of the user, or redirection to malicious sites. The vulnerability requires authenticated access but no user interaction to trigger once the malicious content is stored. The CVSS v3.1 score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin makes it a significant risk for websites relying on this plugin for webcam functionality.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the affected WordPress plugin. Exploitation could lead to unauthorized disclosure of user session information, enabling account takeover or privilege escalation. This can compromise the integrity of web content and potentially damage organizational reputation. Since the vulnerability requires contributor-level access, insider threats or compromised accounts could be leveraged to inject malicious scripts. The stored nature of the XSS means that all users visiting the infected pages are at risk, increasing the attack surface. Organizations in sectors with high web presence, such as media, education, and e-commerce, could face data breaches or defacement. Additionally, regulatory frameworks like GDPR impose strict requirements on protecting user data, so exploitation could lead to compliance violations and financial penalties.

European organizations should immediately audit their WordPress installations to identify the presence of the Live Webcam Widget & Shortcode plugin and its version. Since no official patch links are provided yet, temporary mitigations include disabling or removing the plugin until a secure update is released. Restrict contributor-level privileges to trusted users only and monitor for unusual shortcode usage or content changes. Implement Web Application Firewalls (WAF) with custom rules to detect and block suspicious script injections in shortcode parameters. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly review user roles and permissions to minimize the risk of insider exploitation. Once a patch is available, prioritize prompt application. Additionally, conduct security awareness training for content contributors regarding safe input practices.