CVE-2025-10179 is a stored Cross-Site Scripting vulnerability identified in the My AskAI plugin for WordPress, specifically in all versions up to and including 1.0.0. The root cause is insufficient sanitization and escaping of user input within the 'myaskai' shortcode attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges, no user interaction, and a scope change. The impact primarily affects confidentiality and integrity, with no direct effect on availability. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability affects all versions of the plugin, which is used in WordPress environments that enable AI-related functionalities via shortcodes.

The exploitation of this stored XSS vulnerability can allow attackers with contributor-level access to inject malicious scripts that execute in the browsers of users visiting the compromised pages. This can lead to theft of authentication cookies, enabling session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware. While availability is not impacted, the confidentiality and integrity of user data and site content can be compromised. Organizations relying on the My AskAI plugin in multi-user WordPress environments are particularly at risk, as contributors can abuse their access to escalate attacks. This can undermine user trust, lead to data breaches, and potentially facilitate further attacks within the network. Since the vulnerability requires authenticated access, the risk is somewhat mitigated but remains significant in environments with multiple contributors or less stringent access controls.

To mitigate this vulnerability, organizations should immediately update the My AskAI plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling the plugin or the 'myaskai' shortcode functionality. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode attributes can provide interim protection. Additionally, applying Content Security Policy (CSP) headers to restrict script execution sources can reduce the impact of injected scripts. Regularly auditing user permissions and monitoring logs for unusual shortcode usage or content changes can help detect exploitation attempts early. Developers maintaining the plugin should implement proper input validation, sanitization, and output escaping consistent with WordPress security best practices to prevent similar issues in future releases.