CVE-2025-10136 identifies a stored Cross-Site Scripting (XSS) vulnerability in the TweetThis Shortcode plugin for WordPress, affecting all versions up to and including 1.8.0. The root cause is insufficient sanitization and escaping of user-supplied attributes within the 'tweetthis' shortcode, which allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any users who visit the compromised pages, potentially leading to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and scope change (S:C). The impact affects confidentiality and integrity but not availability. No public exploits have been reported to date. The vulnerability was published on September 26, 2025, and assigned by Wordfence. No official patches are linked yet, so mitigation relies on access control and input validation measures.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the vulnerable TweetThis Shortcode plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, redirecting users to phishing sites, or performing unauthorized actions on behalf of users. This compromises the confidentiality and integrity of user data and site content. Although availability is not directly affected, the reputational damage and loss of user trust can be severe. Since the attack requires authenticated access, the threat is more relevant in environments where contributor or higher roles are assigned to untrusted or compromised users. The scope change means that the vulnerability can affect users beyond the attacker, increasing the risk profile. Organizations with high traffic WordPress sites, especially those relying on user-generated content or multiple contributors, are at elevated risk. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits in the future.

Organizations should immediately audit user roles and restrict contributor-level access to trusted individuals only. Implement strict input validation and output escaping for all user-supplied data, especially in shortcodes and plugins. Until an official patch is released, consider disabling or removing the TweetThis Shortcode plugin if it is not essential. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the 'tweetthis' shortcode parameters. Monitor logs for unusual activity from contributor accounts and conduct regular security reviews of installed plugins. Educate site administrators and contributors about the risks of XSS and safe content practices. Once a patch becomes available, apply it promptly. Additionally, implement Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources.