CVE-2025-10180 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Markdown Shortcode plugin for WordPress, specifically versions up to and including 0.2.1. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The plugin fails to adequately sanitize and escape user-supplied attributes in its 'markdown' shortcode, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into WordPress pages. This malicious script is stored persistently and executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of users viewing the page. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, but no user interaction is needed for exploitation. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, impacting the confidentiality and integrity of user data and site content. No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability highlights the risks associated with insufficient input validation and output encoding in WordPress plugins, especially those that allow user-generated content to be rendered dynamically on web pages.

For European organizations using WordPress sites with the vulnerable Markdown Shortcode plugin, this vulnerability poses a significant risk to website integrity and user trust. Attackers with contributor-level access—often achievable through compromised accounts or insider threats—can inject malicious scripts that execute in the browsers of site visitors, including administrators and other privileged users. This can lead to theft of authentication cookies, unauthorized actions such as content modification or user account manipulation, and potential spread of malware. The confidentiality of sensitive user data and the integrity of website content can be compromised, damaging organizational reputation and potentially violating data protection regulations such as the GDPR. Additionally, the persistent nature of stored XSS increases the risk of widespread impact across multiple users. Given the widespread use of WordPress in Europe for corporate, governmental, and e-commerce websites, exploitation could disrupt business operations and erode customer confidence.

European organizations should immediately audit their WordPress installations to identify the presence of the Markdown Shortcode plugin, particularly versions up to 0.2.1. Until an official patch is released, consider disabling or removing the plugin to eliminate the attack surface. Implement strict role-based access controls to limit contributor-level permissions and monitor for unusual account activities that could indicate compromise. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs that may contain script tags or event handlers. Conduct thorough input validation and output encoding for any custom shortcodes or user-generated content on the site. Regularly update WordPress core and all plugins to their latest versions once patches become available. Additionally, educate content contributors about the risks of injecting untrusted content and enforce security best practices in content management workflows. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of potential XSS payloads.