CVE-2025-10139 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP BookWidgets plugin for WordPress, specifically within the 'bw_link' shortcode. The vulnerability arises from improper neutralization of user-supplied input, where the plugin fails to adequately sanitize and escape attributes provided by authenticated users. This flaw allows attackers with contributor-level privileges or higher to embed arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 0.9 of WP BookWidgets. Exploitation requires authentication but no user interaction beyond visiting the infected page. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and a scope change with limited confidentiality and integrity impact but no availability impact. No patches or known exploits are currently available, highlighting the need for proactive mitigation. The vulnerability is categorized under CWE-79, emphasizing improper input validation during web page generation.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the WP BookWidgets plugin, especially those allowing multiple contributors. Exploitation could lead to session hijacking, unauthorized actions, or data theft from users interacting with compromised pages. Educational institutions, content creators, and businesses relying on collaborative content management are particularly at risk. The scope change in the CVSS vector suggests that the vulnerability could affect components beyond the initial plugin context, potentially impacting other parts of the website or user data. While the vulnerability does not directly affect availability, the integrity and confidentiality of user data and sessions are at risk. Given the widespread use of WordPress in Europe, especially in countries with strong digital education and SME sectors, the impact could be significant if exploited at scale. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

European organizations should immediately audit their WordPress installations for the presence of the WP BookWidgets plugin and verify the version in use. Since no official patches are currently available, temporary mitigations include restricting contributor-level access to trusted users only and disabling or removing the 'bw_link' shortcode functionality if possible. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs can reduce exploitation risk. Additionally, organizations should enforce strict content security policies (CSP) to limit the impact of injected scripts. Regular monitoring of logs for unusual activity related to shortcode usage and user behavior is recommended. Once a patch is released, prompt application is critical. Educating content contributors about the risks of injecting untrusted content and enforcing least privilege principles will further reduce exposure.