CVE-2025-10131 is a stored Cross-Site Scripting (XSS) vulnerability identified in the All Social Share Options plugin for WordPress, developed by codiblog. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the 'sc' shortcode's user-supplied attributes. Versions up to and including 1.0 fail to adequately sanitize and escape these inputs, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring only low complexity and no user interaction, but does require some level of authentication (contributor or above). The scope is considered changed (S:C) because the vulnerability affects not only the plugin but also the users interacting with the compromised pages. No patches or official fixes have been published at the time of disclosure, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations, this vulnerability could lead to significant security risks if the affected plugin is in use on their WordPress sites. Attackers with contributor-level access could inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or defacement of websites. This can damage organizational reputation, lead to data breaches, and violate data protection regulations such as GDPR. Since WordPress is widely used across Europe for corporate websites, blogs, and e-commerce platforms, the impact could be broad, particularly for organizations that allow multiple contributors to publish content. The vulnerability's exploitation does not require user interaction, increasing the risk of automated or widespread attacks once exploited. Additionally, the compromise of user sessions or credentials could facilitate further lateral movement or privilege escalation within organizational networks.

European organizations should immediately audit their WordPress installations to identify the presence of the All Social Share Options plugin, especially versions up to 1.0. Since no official patch is currently available, temporary mitigations include restricting contributor-level access to trusted users only and implementing strict content moderation policies. Employing Web Application Firewalls (WAFs) with custom rules to detect and block malicious script payloads in shortcode attributes can reduce risk. Organizations should also consider disabling or removing the vulnerable plugin until a secure update is released. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly monitoring website logs for unusual activity and scanning for injected scripts can aid early detection. Finally, educating content contributors about safe input practices and the risks of XSS can reduce inadvertent exploitation.