The mucasoft Any News Ticker WordPress plugin suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-10168. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically in the handling of the 'any-ticker' shortcode attributes. The plugin fails to sufficiently sanitize and escape user-supplied input, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. Because the injected scripts are stored and rendered on pages viewed by other users, this can lead to persistent XSS attacks. The vulnerability affects all versions up to and including 3.1.1. The CVSS v3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality and integrity with no availability impact. The scope is changed, indicating that the vulnerability can affect components beyond the vulnerable plugin itself. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability can be exploited to steal session cookies, perform actions on behalf of other users, or deface content, posing a significant risk to WordPress sites using this plugin.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to execute arbitrary JavaScript in the context of other users visiting the affected pages. This can lead to theft of authentication tokens or cookies, enabling session hijacking and unauthorized actions. It may also allow attackers to modify page content, deface websites, or conduct phishing attacks by injecting malicious scripts. Although availability is not impacted, the confidentiality and integrity of user data and site content are at risk. For organizations, this can result in compromised user accounts, loss of trust, reputational damage, and potential regulatory consequences if sensitive data is exposed. Since contributor-level access is required, the threat is primarily from insider threats or compromised accounts with elevated privileges. The vulnerability affects all sites using the Any News Ticker plugin up to version 3.1.1, which may be widespread given WordPress's popularity. The lack of known exploits in the wild suggests limited current exploitation but also highlights the need for proactive mitigation.

Organizations should immediately assess their WordPress installations for the presence of the mucasoft Any News Ticker plugin and determine the version in use. If the plugin is installed, upgrading to a patched version once available is the most effective mitigation. In the absence of an official patch, administrators should restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. Additionally, implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads in shortcode attributes can reduce exploitation risk. Site owners can also sanitize and validate user inputs at the application level or disable the 'any-ticker' shortcode temporarily. Monitoring logs for unusual shortcode usage or script injections and educating content contributors about safe input practices are recommended. Regular security audits and employing Content Security Policy (CSP) headers to restrict script execution sources can further mitigate impact. Finally, backing up site data frequently ensures recovery capability in case of compromise.