The Quick Social Login plugin for WordPress, developed by andreiigna, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-10140. This vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the plugin's 'quick-login' shortcode. The flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages where the shortcode is used. Because the malicious script is stored, it executes whenever any user accesses the compromised page, potentially affecting all visitors. The vulnerability impacts all versions up to and including 1.4.6 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The vulnerability primarily compromises confidentiality and integrity by enabling script injection that can steal session cookies, perform actions on behalf of users, or manipulate page content. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the widespread use of WordPress and this plugin. The vulnerability is categorized under CWE-79, a common and well-understood class of web application security issues.

This vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the Quick Social Login plugin. The impact includes potential theft of user credentials or session cookies, unauthorized actions performed on behalf of users, and defacement or manipulation of website content. Since the injected scripts execute in the context of any user visiting the affected page, including administrators, the confidentiality and integrity of user data and site content are at risk. Although availability is not directly impacted, successful exploitation can lead to reputational damage, loss of user trust, and potential regulatory consequences for compromised sites. Organizations relying on this plugin, especially those with multiple contributors or user-generated content, face increased risk of targeted attacks or automated exploitation attempts once public proof-of-concept exploits emerge. The vulnerability's requirement for authenticated access limits exposure but does not eliminate risk, as contributor accounts are common in many WordPress deployments.

Organizations should immediately audit their WordPress installations to identify the presence of the Quick Social Login plugin and its version. Until an official patch is released, administrators should restrict contributor-level permissions to trusted users only and consider temporarily disabling or removing the plugin to eliminate the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'quick-login' shortcode can provide interim protection. Site owners should also review and sanitize existing content generated via the shortcode to remove any injected scripts. Monitoring logs for unusual contributor activity and scanning for injected scripts on pages using the shortcode is recommended. Once a patch is available, prompt updating to the fixed plugin version is critical. Additionally, enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources.