CVE-2025-10295 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Angel – Fashion Model Agency WordPress CMS Theme, versions up to and including 3.2.3. The vulnerability arises from improper neutralization of input during web page generation, specifically within the profile media uploader functionality. Authenticated users with subscriber-level privileges or higher can upload media files containing malicious scripts that are not properly sanitized or escaped before being stored and rendered on profile pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially allowing attackers to hijack sessions, steal cookies, perform actions on behalf of users, or deliver further malware. The attack vector is remote over the network, with low attack complexity, requiring only authenticated access but no additional user interaction. The vulnerability affects confidentiality and integrity but not availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is categorized under CWE-79, indicating a classic stored XSS flaw. Given the theme’s niche use in fashion model agency websites, the impact is focused but significant for affected sites. The vulnerability’s scope is limited to installations using this specific WordPress theme, but the widespread use of WordPress in Europe means many sites could be at risk if using this theme without mitigation.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Angel – Fashion Model Agency WordPress theme. Exploitation could lead to unauthorized access to user sessions, theft of sensitive information, and potential defacement or manipulation of web content. This can damage brand reputation, lead to data breaches involving user credentials or personal information, and facilitate further attacks such as phishing or malware distribution. Organizations in the fashion, modeling, and related industries that rely on this theme for their online presence are particularly vulnerable. The impact is compounded by the fact that the vulnerability requires only subscriber-level authentication, which is commonly granted to registered users or customers, increasing the attack surface. While availability is not affected, the compromise of confidentiality and integrity can have legal and regulatory consequences under GDPR, especially if personal data is exposed. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is publicly known.

European organizations should immediately audit their WordPress installations to identify the use of the Angel – Fashion Model Agency theme, particularly versions up to 3.2.3. Since no official patches are currently linked, temporary mitigations include restricting subscriber-level access to trusted users only and disabling or restricting the profile media uploader functionality. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script payloads in media uploads can reduce exploitation risk. Regularly monitoring logs for unusual activity related to profile edits or media uploads is advised. Organizations should also educate users about the risks of clicking on suspicious links and visiting untrusted profile pages. Once a patch or update is released by the vendor, immediate application is critical. Additionally, applying Content Security Policy (CSP) headers to limit script execution sources can mitigate the impact of injected scripts. Backup and incident response plans should be reviewed to quickly respond to any exploitation attempts.