CVE-2025-10189 is a stored cross-site scripting (XSS) vulnerability identified in the BP Direct Menus plugin for WordPress, specifically affecting all versions up to and including 1.0.0. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes in the 'bpdm_login' shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, enabling attackers to perform actions such as session hijacking, credential theft, or delivering further malicious payloads. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor access but no user interaction. The scope is changed, meaning the vulnerability affects resources beyond the attacker’s privileges, potentially impacting all site visitors. No patches or official fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability was reserved on September 9, 2025, and published on September 30, 2025, by Wordfence. This issue highlights the risks associated with insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the BP Direct Menus plugin installed. Exploitation could lead to unauthorized script execution in the context of site visitors, potentially compromising user credentials, session tokens, or enabling phishing attacks through manipulated page content. This can damage organizational reputation, lead to data breaches involving personal or sensitive information, and disrupt web services. Since contributor-level access is required, insider threats or compromised contributor accounts increase risk. The vulnerability’s ability to affect all users visiting the injected pages broadens the attack surface, potentially impacting customers, partners, and employees. Additionally, regulatory requirements under GDPR impose strict obligations on protecting user data, and exploitation could result in compliance violations and financial penalties. The lack of an official patch means organizations must implement interim controls to mitigate risk. The threat is particularly relevant for sectors with high web presence such as media, e-commerce, education, and government services across Europe.

1. Immediately audit WordPress installations to identify the presence of the BP Direct Menus plugin and verify the version in use. 2. Restrict contributor-level permissions to trusted users only and review user roles to minimize unnecessary privileges. 3. Implement strict input validation and output escaping on all shortcode attributes, either by applying custom filters or using security plugins that enforce sanitization. 4. Monitor web server and application logs for unusual activity indicative of XSS attempts, such as unexpected script tags or anomalous POST requests. 5. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns to block malicious payloads before they reach the application. 6. Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. 7. Regularly back up website data and configurations to enable rapid restoration if compromise occurs. 8. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 9. Consider temporarily disabling or replacing the BP Direct Menus plugin if mitigation is not feasible until a fix is released.