CVE-2025-10179 is a stored cross-site scripting vulnerability identified in the My AskAI plugin for WordPress, specifically affecting all versions up to and including 1.0.0. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The root cause is insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'myaskai' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts via the shortcode. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions. The vulnerability does not require user interaction beyond visiting the page, but does require authentication with low privileges, making it moderately easy to exploit within compromised or insider accounts. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact with no availability impact. No public exploits or patches are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. This vulnerability is particularly relevant for WordPress sites using the My AskAI plugin, which may be used for AI-driven content or interaction features.

For European organizations, this vulnerability poses a risk of unauthorized script execution on websites using the My AskAI plugin, potentially leading to session hijacking, defacement, or unauthorized actions performed in the context of legitimate users. This can undermine user trust, damage brand reputation, and lead to data leakage or further compromise of web infrastructure. Organizations relying on WordPress for public-facing or internal content management that allow contributor-level user roles are especially vulnerable. The impact is heightened in sectors with strict data protection regulations such as GDPR, where any data leakage or compromise can result in significant fines and legal consequences. Additionally, the cross-site scripting vulnerability can be leveraged as a foothold for more advanced attacks, including phishing or lateral movement within the network. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure. The medium severity rating indicates a moderate but actionable risk that should be mitigated promptly to prevent exploitation.

1. Immediately audit and restrict contributor-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Monitor and review all content created using the 'myaskai' shortcode for suspicious or unexpected script content. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious scripts or unusual shortcode usage patterns targeting this vulnerability. 4. Disable or remove the My AskAI plugin if it is not essential to operations until a patched version is released. 5. Follow the vendor’s updates closely and apply security patches as soon as they become available. 6. Educate content creators and administrators about the risks of injecting untrusted content and the importance of secure content management practices. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 8. Conduct regular security scans and penetration tests focusing on WordPress plugins and shortcode inputs to detect similar vulnerabilities proactively.