CVE-2025-10295 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Angel – Fashion Model Agency WordPress CMS Theme, versions up to and including 3.2.3. The flaw arises from improper neutralization of input during web page generation, specifically in the profile media uploader functionality. Authenticated users with subscriber-level access or higher can upload media files containing malicious scripts that are insufficiently sanitized and improperly escaped before being rendered on profile pages. When other users access these pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deliver further malware. The vulnerability is exploitable remotely over the network without user interaction beyond page access. The CVSS v3.1 score of 6.4 reflects a medium severity, with attack vector as network, low attack complexity, privileges required as low (authenticated subscriber), no user interaction needed, and a scope change indicating that the vulnerability affects resources beyond the vulnerable component. Confidentiality and integrity impacts are low, while availability is unaffected. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The theme is used primarily in WordPress sites related to fashion modeling agencies, which may be niche but still relevant for targeted attacks.

For European organizations, the impact of this vulnerability can be significant, especially for businesses using the Angel WordPress theme for their public-facing websites or internal portals. Exploitation could lead to session hijacking, unauthorized actions performed under legitimate user credentials, defacement of websites, or distribution of malware to visitors. This undermines user trust, damages brand reputation, and may lead to data breaches involving personal information of users or clients. Since the vulnerability requires only subscriber-level access, attackers could exploit compromised or weak user accounts to escalate their impact. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the immediate theme, potentially impacting other integrated systems or plugins. Given the widespread use of WordPress in Europe and the popularity of fashion and modeling agencies, the threat could affect a range of organizations from small businesses to larger enterprises. Regulatory compliance risks also arise under GDPR if personal data is compromised through this vulnerability.

European organizations should immediately audit their WordPress installations to identify the use of the Angel – Fashion Model Agency theme, particularly versions up to 3.2.3. Until an official patch is released, mitigation steps include: 1) Restricting or disabling subscriber-level users' ability to upload media files or access the profile media uploader feature. 2) Implementing web application firewall (WAF) rules to detect and block common XSS payloads targeting the profile media upload endpoint. 3) Enforcing strict input validation and output encoding at the application or proxy level if possible. 4) Monitoring logs for suspicious activity related to profile edits and media uploads. 5) Educating users about phishing and social engineering risks that could lead to account compromise. 6) Considering temporary theme replacement or disabling the vulnerable theme if feasible. 7) Applying the principle of least privilege to user roles to minimize the number of users with upload permissions. 8) Keeping WordPress core, plugins, and themes updated and subscribing to vendor security advisories for timely patching once available.