CVE-2025-15000 is a stored cross-site scripting vulnerability identified in the Page Keys plugin for WordPress, affecting all versions up to and including 1.3.3. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'page_key' parameter. This parameter lacks sufficient input sanitization and output escaping, allowing authenticated users with administrator privileges to inject arbitrary JavaScript code into pages. The vulnerability is limited to WordPress multisite installations where the 'unfiltered_html' capability is disabled, which restricts the ability to post unfiltered HTML content. When a user visits a page containing the injected script, the malicious code executes in their browser context, potentially enabling session hijacking, privilege escalation, or other malicious actions. The CVSS 3.1 score of 4.4 (medium severity) reflects that exploitation requires network access, high attack complexity, and administrator privileges, but results in limited confidentiality and integrity impact without affecting availability. No public exploits have been reported, and no patches have been linked yet, indicating that mitigation relies on access control and configuration adjustments. The vulnerability is cataloged under CWE-79, which covers cross-site scripting issues due to improper input validation and output encoding.

For European organizations, this vulnerability poses a moderate risk primarily to those operating WordPress multisite environments with the Page Keys plugin installed. Since exploitation requires administrator-level access, the threat is mostly internal or from compromised admin accounts. Successful exploitation could lead to unauthorized script execution in users' browsers, enabling session hijacking, data theft, or further privilege escalation within the WordPress environment. This could compromise the confidentiality and integrity of website content and user data. Given the widespread use of WordPress in Europe, especially in sectors like media, education, and government, the vulnerability could be leveraged for targeted attacks or defacements. However, the requirement for multisite configuration and disabled unfiltered_html limits the scope somewhat. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Organizations failing to mitigate this vulnerability may face reputational damage, data breaches, or regulatory compliance issues under GDPR if personal data is exposed.

1. Immediately audit WordPress installations to identify multisite environments using the Page Keys plugin version 1.3.3 or earlier. 2. Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. 3. Temporarily disable or remove the Page Keys plugin if multisite and unfiltered_html are in use until a patch is available. 4. Implement strict input validation and output encoding on the 'page_key' parameter if custom code or overrides are possible. 5. Monitor multisite WordPress pages for unexpected script injections or unusual content changes using security plugins or web application firewalls (WAFs) with XSS detection capabilities. 6. Educate administrators about the risks of injecting untrusted content and the importance of secure plugin management. 7. Stay updated with vendor advisories for official patches or updates addressing this vulnerability and apply them promptly once released. 8. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers.