CVE-2025-15000 identifies a stored cross-site scripting (XSS) vulnerability in the Page Keys plugin for WordPress, affecting all versions up to and including 1.3.3. The root cause is insufficient input sanitization and output escaping of the 'page_key' parameter, which allows an authenticated attacker with administrator-level privileges to inject arbitrary JavaScript code into pages. This vulnerability specifically impacts multisite WordPress installations or those where the 'unfiltered_html' capability is disabled, limiting the ability to filter HTML content. When a user visits a page containing the injected script, the malicious code executes in their browser context, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability requires high privileges (administrator access) and does not require user interaction beyond visiting the infected page. The CVSS 3.1 base score is 4.4 (medium), reflecting network attack vector, high attack complexity, and privileges required. No public exploits have been reported, but the vulnerability poses a risk due to the stored nature of the XSS, which can affect multiple users over time. The lack of available patches at the time of reporting necessitates immediate attention to mitigation strategies.

The primary impact of this vulnerability is the potential compromise of user sessions and integrity of the affected WordPress sites. An attacker with administrator access can inject persistent malicious scripts that execute in the browsers of any user visiting the infected pages, including other administrators and site users. This can lead to theft of authentication cookies, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Although exploitation requires high privileges, the stored nature of the XSS increases risk in environments with multiple administrators or editors. Multisite WordPress installations are particularly at risk, as the vulnerability can propagate across multiple sites within the network. This can undermine trust in the website, cause data breaches, and disrupt normal operations. Since no known exploits are currently active, the threat is moderate but could escalate if weaponized. Organizations relying on multisite WordPress with the Page Keys plugin should consider this a significant risk to confidentiality and integrity.

1. Immediately restrict administrator access to trusted personnel only and review existing admin accounts for compromise. 2. Disable or remove the Page Keys plugin if it is not essential, especially in multisite environments. 3. If the plugin is required, monitor for updates or patches from the vendor and apply them as soon as they become available. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'page_key' parameter. 5. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Conduct regular security audits and code reviews of custom plugins and themes to identify similar input validation issues. 7. Educate administrators about the risks of stored XSS and enforce the principle of least privilege. 8. Consider enabling multi-factor authentication (MFA) for administrator accounts to reduce the risk of account compromise. 9. Regularly backup WordPress sites to enable recovery in case of compromise. 10. Monitor logs for unusual activity related to page modifications or script injections.