CVE-2025-10135 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP ViewSTL plugin for WordPress, specifically affecting all versions up to and including 1.0. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The root cause is insufficient sanitization and escaping of user-supplied attributes in the plugin's 'viewstl' shortcode, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes whenever any user accesses the infected page, potentially compromising the confidentiality and integrity of user sessions and data. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WordPress sites that utilize this plugin, especially those with multiple contributors. The lack of available patches at the time of publication necessitates immediate attention to mitigate risk. This vulnerability could be leveraged for session hijacking, defacement, or delivering further malware payloads through the injected scripts.

The primary impact of CVE-2025-10135 is the potential for attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of any users visiting those pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and reputational damage due to defacement or malicious content delivery. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by access controls; however, many WordPress sites allow contributor or higher roles for content creation, making exploitation feasible. The scope change indicates that the vulnerability can affect other components or users beyond the initial plugin context, increasing the potential damage. Organizations relying on WP ViewSTL for 3D model viewing or similar functionality are at risk of compromise, especially if they have a large user base or sensitive data. The absence of known public exploits reduces immediate threat but does not eliminate the risk of targeted attacks or future exploit development. Overall, this vulnerability can undermine user trust and site integrity, potentially leading to data breaches or further compromise.

Given the absence of an official patch at the time of disclosure, organizations should implement the following mitigations: 1) Restrict contributor-level access strictly to trusted users and review user roles to minimize the number of users who can exploit this vulnerability. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns related to the 'viewstl' shortcode attributes. 3) Conduct manual code reviews or apply temporary input sanitization and output escaping in the plugin code if feasible, to neutralize malicious scripts. 4) Monitor website content for unexpected script injections or anomalies in pages using the 'viewstl' shortcode. 5) Educate content contributors about safe input practices and the risks of injecting untrusted content. 6) Plan for immediate update or removal of the WP ViewSTL plugin once a security patch is released. 7) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts, reducing the impact of potential XSS payloads. These steps go beyond generic advice by focusing on access control, proactive detection, and temporary code hardening until an official fix is available.