CVE-2025-10196 is a stored cross-site scripting (XSS) vulnerability identified in the Survey Anyplace plugin for WordPress, affecting all versions up to and including 1.0.0. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'surveyanyplace_embed' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79 and has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges (contributor or above) but no user interaction beyond page viewing. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. While no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of available patches at the time of publication necessitates immediate attention to mitigate potential exploitation.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites and their users. By injecting malicious scripts, attackers can steal session cookies, enabling account takeover or impersonation of legitimate users. This can lead to unauthorized access to sensitive data or administrative functions. Additionally, attackers may perform actions on behalf of victims, such as modifying content or spreading malware. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe consequences for organizations. Since exploitation requires contributor-level access, the threat is heightened in environments with multiple users having such privileges, including educational institutions, media companies, and collaborative platforms. The vulnerability's scope change means that the impact can extend beyond the plugin itself, affecting the entire site and its visitors. Organizations worldwide that rely on WordPress and the Survey Anyplace plugin for surveys or data collection are at risk, especially if they do not enforce strict access controls or input validation.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates released by the plugin vendor. In the absence of patches, administrators should restrict contributor-level access to trusted users only and review existing user permissions to minimize risk. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'surveyanyplace_embed' shortcode can provide temporary protection. Additionally, site administrators can sanitize and validate all user inputs related to this shortcode manually or via custom code hooks to prevent script injection. Regular security audits and monitoring for unusual activity or injected scripts on pages using the plugin are recommended. Educating contributors about safe input practices and the risks of injecting untrusted content can reduce accidental exploitation. Finally, consider disabling or removing the Survey Anyplace plugin if it is not essential, or replacing it with a more secure alternative until a fix is available.