The Dhivehi Text plugin for WordPress, developed by dash8x, suffers from a stored cross-site scripting vulnerability identified as CVE-2025-10132. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically within the plugin's 'dhivehi' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing other malicious actions. The vulnerability affects all versions up to and including 0.1, with no patches currently available. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and a scope change due to the impact on other users. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk in environments where multiple users interact with content generated by the plugin. The scope of impact includes confidentiality and integrity but not availability. The vulnerability is particularly concerning in multi-user WordPress sites where contributors can add content visible to others.

This vulnerability allows authenticated contributors or higher to inject malicious scripts that execute in the context of other users viewing the affected pages. The impact includes potential theft of session cookies, leading to account takeover, defacement of website content, unauthorized actions performed on behalf of other users, and distribution of malware through the compromised site. Since the vulnerability affects all versions of the plugin up to 0.1 and requires only contributor-level access, it can be exploited in many WordPress environments where this plugin is installed. The scope change means that the attacker's actions can affect other users beyond their own account, increasing the risk of widespread compromise. Organizations relying on this plugin for Dhivehi language support on WordPress sites face risks to user data confidentiality and site integrity. Although availability is not directly impacted, reputational damage and loss of user trust can result from successful exploitation.

1. Immediately restrict contributor-level user permissions to trusted individuals until a patch is available. 2. Monitor and audit content submitted via the 'dhivehi' shortcode for suspicious scripts or code injections. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting this plugin. 4. Encourage site administrators to disable or remove the Dhivehi Text plugin if it is not essential. 5. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 6. Regularly update WordPress core and plugins, and monitor the vendor's announcements for patches addressing this vulnerability. 7. Educate contributors about safe content submission practices and the risks of injecting scripts. 8. Use security plugins that can scan for and alert on stored XSS attempts within WordPress content. These steps go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to the plugin's context.