CVE-2025-10189 is a stored cross-site scripting (XSS) vulnerability identified in the BP Direct Menus plugin for WordPress, specifically affecting all versions up to and including 1.0.0. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's 'bpdm_login' shortcode, which processes user-supplied attributes insecurely. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who accesses the infected page, potentially compromising session tokens, cookies, or enabling unauthorized actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those handling user-generated content or attributes. Organizations using BP Direct Menus should be aware of this risk and monitor for updates or apply manual mitigations.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed with the victim's privileges. While availability is not directly affected, the integrity and confidentiality breaches can undermine trust in the affected websites and lead to reputational damage. For organizations relying on BP Direct Menus, especially those with active user communities or sensitive data, this vulnerability could facilitate further attacks such as privilege escalation or persistent backdoors. The requirement for authenticated access limits the attack surface but does not eliminate risk, as contributor-level accounts are common in collaborative environments. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially targeted plugin, potentially impacting the entire WordPress site environment.

To mitigate this vulnerability, organizations should first check for any official patches or updates from the plugin vendor and apply them promptly once available. In the absence of an official fix, administrators should consider disabling the BP Direct Menus plugin or removing the 'bpdm_login' shortcode from all pages to prevent exploitation. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting this shortcode can provide temporary protection. Additionally, review and restrict contributor-level user permissions to the minimum necessary, and monitor user-generated content for suspicious inputs. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regular security audits and scanning for XSS vulnerabilities in WordPress plugins are recommended to detect similar issues proactively. Finally, educating site administrators and users about the risks of XSS and safe content management practices will reduce the likelihood of exploitation.