CVE-2025-10490 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the Zephyr Project Manager plugin for WordPress, developed by dylanjkotze. The vulnerability exists in all versions up to and including 3.3.202 due to insufficient sanitization of input and inadequate escaping of output in the plugin's admin settings interface. This flaw allows authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. The malicious scripts are stored persistently and execute whenever any user accesses the affected page, potentially leading to session hijacking, unauthorized actions, or data theft. Notably, this vulnerability only affects WordPress multi-site installations or single-site installations where the unfiltered_html capability is disabled, limiting the scope of impact. The attack vector is network-based, requiring high privileges (administrator) and no user interaction is necessary for the malicious payload to execute. The CVSS 3.1 score of 4.4 reflects a medium severity, with low confidentiality and integrity impact and no availability impact. There are no known public exploits at this time, and no patches have been linked yet. The vulnerability was publicly disclosed on September 26, 2025, and assigned by Wordfence. The scope is considered changed (S:C) because the vulnerability affects multiple components or users within the multi-site environment.

The primary impact of this vulnerability is the potential for authenticated administrators to inject malicious scripts that execute in the context of other users accessing the affected pages. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of other users. Although exploitation requires administrator privileges, the persistent nature of the stored XSS increases risk in multi-site WordPress environments where multiple users access shared resources. The vulnerability does not affect availability but can compromise confidentiality and integrity of user sessions and data. Organizations relying on the Zephyr Project Manager plugin in multi-site setups or with restricted HTML capabilities are at risk of targeted attacks that could facilitate lateral movement or privilege escalation within their WordPress environment. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure. The medium CVSS score indicates moderate risk, but the requirement for high privileges limits exposure primarily to insider threats or compromised administrator accounts.

To mitigate CVE-2025-10490, organizations should first verify if they are running multi-site WordPress installations or have unfiltered_html disabled, as single-site installations with unfiltered_html enabled are not affected. Immediate mitigation includes restricting administrator access to trusted personnel only and monitoring admin activity for suspicious behavior. Since no official patch is currently linked, administrators should consider temporarily disabling or removing the Zephyr Project Manager plugin until a fixed version is released. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the plugin’s admin settings can reduce risk. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing user permissions and employing multi-factor authentication for administrator accounts will further reduce the likelihood of exploitation. Once a patch is available, prompt application is critical. Finally, monitoring WordPress security advisories and threat intelligence feeds for updates on this vulnerability is recommended.