CVE-2025-10166 identifies a stored cross-site scripting vulnerability in the Social Media Shortcodes plugin for WordPress, specifically in the 'twitter' shortcode functionality. This vulnerability stems from insufficient sanitization and escaping of user-supplied attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of victims. The vulnerability affects all versions up to and including 1.3.1 of the plugin. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change due to impact on other users. No public exploits have been reported yet, but the vulnerability poses a risk in multi-user WordPress environments where contributors can add content. The lack of patch links suggests a fix may not yet be released, emphasizing the need for interim mitigations. This vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to cross-site scripting.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users visiting affected WordPress sites. Malicious scripts injected by contributors can steal session cookies, enabling account takeover, or perform actions on behalf of users, such as changing site content or stealing sensitive information. Although availability is not directly impacted, the trustworthiness and reputation of affected websites can be severely damaged. Organizations with multiple contributors or user-generated content are at higher risk, as attackers can leverage contributor accounts to embed persistent malicious code. This can lead to widespread exploitation if popular sites are targeted, affecting visitors globally. Additionally, attackers might use this vector as a foothold for further attacks within the network or to distribute malware. The medium severity score reflects that exploitation requires some level of access but can have significant consequences once exploited.

Immediate mitigation steps include restricting contributor-level access to trusted users only and implementing strict content moderation policies to review shortcode usage before publishing. Site administrators should disable or remove the Social Media Shortcodes plugin until a security patch is released. Employing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode inputs or script injections can reduce risk. Additionally, enabling Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script execution sources. Monitoring site content for unexpected script tags or unusual shortcode behavior is recommended. Once a patch is available from the vendor, promptly update the plugin to the fixed version. Educating contributors about secure content practices and limiting the use of shortcodes that accept user input can further reduce exposure. Regular backups and incident response plans should be in place to recover from potential compromises.