CVE-2025-10138 is a stored Cross-Site Scripting (XSS) vulnerability identified in the This-or-That plugin for WordPress, affecting all versions up to and including 1.0.4. The vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient sanitization and escaping of user-supplied attributes in the plugin's 'thisorthat' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts using the shortcode. Because the malicious script is stored persistently, it executes whenever any user views the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users. No public exploits have been reported yet, but the risk remains significant given the widespread use of WordPress and the plugin. The vulnerability underscores the importance of proper input validation and output encoding in web applications, especially in plugins that accept user-generated content. Since the plugin is actively used in WordPress environments, unpatched sites remain vulnerable to persistent XSS attacks that can lead to session hijacking, defacement, or further exploitation.

For European organizations, this vulnerability poses a risk primarily to websites running WordPress with the This-or-That plugin installed. Exploitation can lead to unauthorized script execution in the context of the victim’s browser, potentially resulting in session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and reputational damage. Organizations relying on contributor-level user roles for content management are particularly at risk, as attackers only need such privileges to exploit the flaw. This can affect internal portals, public-facing websites, and any web application leveraging the plugin. The impact extends to data confidentiality and integrity but does not directly affect availability. Given the widespread use of WordPress in Europe, especially in small and medium enterprises and public sector websites, the vulnerability could be leveraged for targeted attacks or broader campaigns. Additionally, GDPR considerations mean that data breaches resulting from exploitation could lead to regulatory penalties. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

European organizations should immediately audit their WordPress installations to identify the presence of the This-or-That plugin and verify the version in use. Since no official patch links are provided, administrators should monitor the vendor’s channels for updates or consider disabling or uninstalling the plugin until a fix is available. Implementing Web Application Firewalls (WAFs) with rules to detect and block malicious payloads targeting the 'thisorthat' shortcode can provide interim protection. Restrict contributor-level user permissions to trusted personnel only and review user roles to minimize the number of users with content publishing capabilities. Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Regularly scan websites for XSS vulnerabilities using automated tools and conduct manual code reviews of custom shortcodes or plugins. Educate content contributors about the risks of injecting untrusted content and monitor logs for suspicious activity. Finally, ensure that backups are maintained to allow recovery in case of defacement or compromise.