CVE-2025-10138 identifies a stored cross-site scripting (XSS) vulnerability in the This-or-That plugin for WordPress, maintained by andrex84. The flaw exists in all versions up to and including 1.0.4 due to insufficient sanitization and escaping of user input in the 'thisorthat' shortcode attributes. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79, reflecting improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low complexity, required privileges at contributor level, no user interaction, scope changed, and partial confidentiality and integrity impact without availability impact. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability affects all versions of the plugin, which is used in WordPress sites to create interactive content. The flaw's exploitation requires authenticated access but no additional user interaction, making it a significant risk in environments with multiple contributors or editors.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the context of other users viewing the affected pages. This can lead to session hijacking, theft of authentication cookies, unauthorized actions performed on behalf of other users, or defacement of content. While availability is not impacted, the confidentiality and integrity of user data and site content can be compromised. Organizations relying on the This-or-That plugin for interactive content creation face risks of internal account compromise and lateral movement within the WordPress environment. The vulnerability could be leveraged to escalate privileges or implant persistent backdoors via malicious scripts. Given WordPress's widespread use globally, especially in content-driven organizations, the threat could affect a broad range of sectors including media, education, and e-commerce. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the ease of exploitation and lack of user interaction needed increase the risk in multi-user environments.

To mitigate this vulnerability, organizations should first check for updates from the plugin vendor and apply any available patches promptly. If no patch is available, temporarily disabling the This-or-That plugin or removing the 'thisorthat' shortcode usage can prevent exploitation. Implementing strict role-based access controls to limit contributor-level permissions only to trusted users reduces the attack surface. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in shortcode attributes can provide additional protection. Site administrators should audit existing content for injected scripts and remove any malicious code. Enabling Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regular monitoring of user activities and logs for unusual behavior or privilege escalations is recommended. Educating contributors about safe content input practices and the risks of injecting untrusted code can further reduce risk. Finally, consider using security plugins that sanitize shortcode inputs or replace vulnerable plugins with alternatives that follow secure coding practices.