CVE-2025-10136 is a stored Cross-Site Scripting (XSS) vulnerability affecting the TweetThis Shortcode plugin for WordPress, developed by douglaskarr. The vulnerability exists in all versions up to and including 1.8.0 due to improper input sanitization and insufficient output escaping of user-supplied attributes within the 'tweetthis' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into WordPress pages. When other users visit these compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or the theft of sensitive information. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low, while availability is not affected. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability is significant because WordPress is widely used for content management, and plugins like TweetThis Shortcode are popular for social media integration, making many websites potentially vulnerable if they use this plugin version and allow contributor-level access to untrusted users.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the vulnerable TweetThis Shortcode plugin installed. Exploitation could lead to unauthorized script execution in the context of the affected website, enabling attackers to steal session cookies, perform actions on behalf of legitimate users, or deliver malicious payloads such as phishing forms or malware. This can damage organizational reputation, lead to data breaches involving user information, and potentially facilitate further attacks within the organization's network. The requirement for contributor-level access limits the attack surface to insiders or compromised accounts, but many organizations allow multiple contributors or editors, increasing risk. Given the widespread use of WordPress in Europe across sectors including media, education, and small-to-medium enterprises, the vulnerability could impact a broad range of organizations. Additionally, the cross-site scripting could be leveraged to bypass Content Security Policies if improperly configured, further increasing risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate risk, especially as attackers often develop exploits after public disclosure. Compliance with GDPR also means that any data leakage resulting from exploitation could lead to regulatory penalties.

European organizations should immediately audit their WordPress installations to identify the presence of the TweetThis Shortcode plugin and verify its version. If the plugin is installed and is version 1.8.0 or earlier, organizations should disable or remove the plugin until a patched version is released. In the absence of an official patch, organizations can implement manual mitigations such as applying strict input validation and output encoding on the 'tweetthis' shortcode attributes, or restricting contributor-level access to trusted users only. Additionally, implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute payloads can help mitigate exploitation attempts. Organizations should also review and tighten user role permissions to minimize the number of users with contributor or higher privileges. Monitoring web server and application logs for unusual activity related to shortcode usage or script injections is recommended. Finally, educating content contributors about the risks of injecting untrusted content and enforcing secure content creation policies will reduce the likelihood of exploitation.