CVE-2025-10139 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the WP BookWidgets plugin for WordPress. The vulnerability exists due to insufficient sanitization and escaping of user input passed through the 'bw_link' shortcode attribute. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all plugin versions up to and including 0.9. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. No public exploits have been reported yet, but the presence of authenticated access requirements limits exploitation to users with some level of trust or access within the WordPress environment. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that accept user-generated content. The lack of available patches at the time of disclosure means users must rely on temporary mitigations until an official fix is released.

The vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the context of other users visiting those pages. This can lead to the theft of session cookies, enabling account takeover, unauthorized actions performed with victim privileges, or the spread of malware. The impact primarily affects confidentiality and integrity of user data and site content. Availability is not directly impacted. Organizations relying on WP BookWidgets expose themselves to insider threats or compromised contributor accounts being leveraged for broader attacks. The medium CVSS score reflects a moderate risk, but the potential for privilege escalation and lateral movement within WordPress sites can amplify damage. Given WordPress’s widespread use, especially in small to medium businesses, educational institutions, and content creators, the vulnerability could facilitate targeted attacks or defacement campaigns. The lack of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation once proof-of-concept code becomes available.

1. Immediately restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit all content created or edited via the 'bw_link' shortcode for suspicious scripts or anomalies. 3. Implement a Web Application Firewall (WAF) with rules to detect and block typical XSS payloads targeting the plugin’s shortcode parameters. 4. Disable or remove the WP BookWidgets plugin if it is not essential to reduce the attack surface. 5. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Regularly update the plugin once a patch is released by the vendor to address the vulnerability. 7. Educate content contributors about safe input practices and the risks of injecting untrusted code. 8. Use security plugins that can scan for and remediate stored XSS payloads in WordPress content. 9. Consider implementing multi-factor authentication to reduce the risk of compromised contributor accounts. 10. Backup site data frequently to enable recovery in case of defacement or compromise.