CVE-2025-10132 identifies a stored cross-site scripting (XSS) vulnerability in the Dhivehi Text plugin for WordPress, specifically affecting all versions up to and including 0.1. The vulnerability arises from improper neutralization of input during web page generation, categorized under CWE-79. The flaw exists in the plugin's 'dhivehi' shortcode, where user-supplied attributes are not sufficiently sanitized or escaped before being rendered on pages. This allows an attacker with contributor-level or higher privileges—authenticated users who can add or edit content—to inject arbitrary JavaScript code into WordPress pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or distribution of malware. The vulnerability does not require user interaction beyond visiting the compromised page, and the attack scope is limited to sites using the vulnerable plugin. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of available patches at the time of publication increases the urgency for mitigations.

For European organizations, this vulnerability could lead to unauthorized script execution on their WordPress sites, compromising the confidentiality and integrity of user sessions and data. Attackers could leverage the XSS to steal authentication cookies, perform actions on behalf of legitimate users, or deface websites, damaging brand reputation. Organizations relying on WordPress sites with multiple contributors are particularly at risk, as contributor-level access is sufficient for exploitation. The impact extends to customer trust, regulatory compliance (e.g., GDPR), and potential financial losses from data breaches or service disruptions. Since the vulnerability affects the Dhivehi Text plugin, which may be used in niche contexts (e.g., sites targeting Dhivehi language speakers), the direct impact might be limited but still critical for affected entities. Additionally, the cross-site scripting could be a pivot point for more sophisticated attacks, including phishing or malware distribution, increasing the overall threat landscape for European web properties.

1. Immediately audit WordPress sites for the presence of the Dhivehi Text plugin and identify affected versions (all up to 0.1). 2. If an updated, patched version is released, apply it promptly. In absence of a patch, consider disabling or uninstalling the plugin until a fix is available. 3. Restrict contributor-level access strictly to trusted users and review user roles to minimize the number of users who can inject content. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns related to the 'dhivehi' shortcode attributes. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 6. Conduct regular security audits and scanning for XSS vulnerabilities on WordPress installations. 7. Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. 8. Monitor site logs for unusual activity or unexpected content changes that could indicate exploitation attempts.