CVE-2025-10490 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Zephyr Project Manager plugin for WordPress, developed by dylanjkotze. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping in the plugin's admin settings. The flaw allows authenticated users with administrator-level permissions or higher to inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress multisite environment. Importantly, this vulnerability only affects multisite WordPress installations or installations where the unfiltered_html capability is disabled, limiting its scope. The CVSS v3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, requiring high privileges, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on September 26, 2025, and affects all versions up to and including 3.3.202 of the plugin.

For European organizations using WordPress multisite installations with the Zephyr Project Manager plugin, this vulnerability poses a risk of unauthorized script execution within the administrative context. An attacker with administrator privileges could inject malicious JavaScript that executes in the browsers of other administrators or users with elevated permissions, potentially leading to theft of authentication tokens, manipulation of project management data, or unauthorized administrative actions. While the requirement for administrator-level access limits the initial attack surface, insider threats or compromised administrator accounts could exploit this vulnerability to escalate attacks. The impact on confidentiality and integrity could disrupt project workflows, leak sensitive project information, or facilitate further compromise of the WordPress environment. Given the widespread use of WordPress in Europe, especially among SMEs and public sector organizations, the vulnerability could affect entities relying on this plugin for project management in multisite setups. However, the absence of known exploits and the medium severity score suggest a moderate risk level, contingent on the presence of the plugin and specific configuration settings.

European organizations should immediately audit their WordPress multisite installations to identify the presence of the Zephyr Project Manager plugin, especially versions up to 3.3.202. Since no official patches are currently linked, organizations should consider the following practical steps: 1) Restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised credentials; 2) Temporarily disable or remove the Zephyr Project Manager plugin in multisite environments or where unfiltered_html is disabled until a patch is available; 3) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts; 4) Monitor administrative pages for unusual script injections or modifications; 5) Educate administrators about the risks of stored XSS and safe input handling; 6) Regularly back up WordPress configurations and data to enable rapid recovery if exploitation occurs; 7) Stay updated with vendor advisories for forthcoming patches and apply them promptly once released.