CVE-2025-10180 identifies a stored cross-site scripting vulnerability in the jhoppe Markdown Shortcode plugin for WordPress, present in all versions up to and including 0.2.1. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes within the 'markdown' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into WordPress pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based, with low attack complexity, requiring privileges but no user interaction. The scope is changed, as the vulnerability affects components beyond the initially vulnerable plugin, impacting confidentiality and integrity but not availability. No public exploits or patches have been reported as of the publication date, increasing the urgency for administrators to implement mitigations. This vulnerability is particularly concerning in multi-user WordPress environments where contributors can add content but are not fully trusted. The lack of output escaping and input validation in shortcode attributes is a common vector for stored XSS in WordPress plugins, emphasizing the need for secure coding practices. The vulnerability was assigned by Wordfence and published on September 26, 2025.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, defacing content, or performing unauthorized actions with the victim's privileges. This can lead to account takeover, data leakage, and reputational damage. Since the vulnerability is stored XSS, the malicious payload persists in the site content, increasing the risk of widespread exploitation. Although availability is not directly affected, the indirect consequences such as site defacement or user distrust can degrade service quality. Organizations relying on WordPress sites with multiple contributors are at higher risk, especially if contributor accounts are not tightly controlled. The medium CVSS score reflects the need for attention but indicates that exploitation requires some level of privilege, limiting the attack surface somewhat. However, the scope change means that the impact extends beyond the plugin itself, potentially affecting the entire site and its users.

To mitigate this vulnerability, organizations should immediately review and restrict contributor-level access to trusted users only, minimizing the risk of malicious shortcode injection. Administrators should audit existing content for suspicious or unauthorized 'markdown' shortcode usage that could contain malicious scripts. Employing Web Application Firewalls (WAFs) with rules targeting known XSS patterns in shortcode attributes can provide temporary protection. Developers and site owners should monitor for plugin updates or patches from the vendor and apply them promptly once available. In the interim, consider disabling or removing the jhoppe Markdown Shortcode plugin if it is not essential to site functionality. Implementing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Additionally, educating contributors about safe content practices and the risks of injecting untrusted code is important. Regular security scanning and monitoring for anomalous behavior related to shortcode usage will aid in early detection of exploitation attempts.