CVE-2025-10295 is a stored cross-site scripting vulnerability identified in the Angel – Fashion Model Agency WordPress CMS Theme, versions up to and including 3.2.3. The vulnerability arises due to improper neutralization of input during web page generation, specifically in the profile media uploader component. Authenticated users with subscriber-level permissions or higher can upload media files containing malicious scripts that are insufficiently sanitized and escaped. These scripts become embedded in profile pages and execute in the context of any user who views the compromised page, enabling attackers to perform actions such as session hijacking, cookie theft, or executing arbitrary JavaScript. The vulnerability does not require user interaction beyond visiting the affected page and leverages the common WordPress role system, making it accessible to low-privilege users. The CVSS 3.1 score of 6.4 reflects a network attack vector, low attack complexity, requiring privileges but no user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. No patches or public exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.

The impact of CVE-2025-10295 on organizations worldwide includes potential compromise of user sessions, unauthorized actions performed on behalf of users, and exposure of sensitive information through malicious script execution. Attackers could leverage this vulnerability to escalate privileges, deface websites, or conduct phishing attacks by injecting deceptive content. Since the vulnerability affects a WordPress theme used in fashion agency websites, organizations in the fashion, modeling, and related industries could face reputational damage and loss of customer trust if exploited. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many registered users or weak access controls. The vulnerability could also serve as a foothold for further attacks within the network, especially if combined with other vulnerabilities or social engineering tactics. Overall, the threat poses a moderate risk to confidentiality and integrity but does not affect availability directly.

To mitigate CVE-2025-10295, organizations should immediately update the Angel – Fashion Model Agency WordPress theme to a patched version once available. Until a patch is released, administrators should restrict subscriber-level users' ability to upload media or access the profile media uploader. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script payloads in uploads can reduce risk. Conduct thorough input validation and output encoding on all user-supplied data, especially in custom theme components. Review and tighten user role permissions to minimize unnecessary upload capabilities. Regularly audit user-generated content for suspicious scripts and monitor logs for unusual activity. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. Finally, educate users about the risks of XSS and encourage strong authentication practices to reduce the likelihood of compromised accounts.