CVE-2025-15000 is a stored cross-site scripting (XSS) vulnerability identified in the Page Keys plugin for WordPress, maintained by tfrommen. The vulnerability exists in all versions up to and including 1.3.3 and is caused by improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'page_key' parameter. This flaw allows authenticated attackers with administrator privileges to inject arbitrary JavaScript code into pages within multisite WordPress installations or those where the 'unfiltered_html' capability is disabled. When a user accesses a compromised page, the injected script executes in their browser context, potentially enabling session hijacking, privilege escalation, or other malicious actions. The vulnerability requires high privileges (administrator access) and has a high attack complexity, as exploitation is limited to specific WordPress configurations. The CVSS v3.1 base score is 4.4, indicating medium severity, with confidentiality and integrity impacts rated low, no availability impact, and no user interaction required. No public exploits are currently known, and no patches have been linked yet. The vulnerability was published on January 7, 2026, and assigned by Wordfence. This issue is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations, this vulnerability poses a moderate risk primarily to those operating WordPress multisite environments using the Page Keys plugin. The requirement for administrator-level access limits the attack surface to insiders or compromised admin accounts. However, successful exploitation can lead to the injection of malicious scripts that execute in the context of site visitors or administrators, potentially enabling session hijacking, theft of sensitive information, or further compromise of the WordPress environment. This could disrupt business operations, damage reputation, and lead to data breaches. Organizations with strict content filtering (unfiltered_html disabled) are particularly vulnerable. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and government, the impact could be significant if exploited. However, the medium CVSS score and lack of known exploits suggest the immediate threat level is moderate but warrants proactive mitigation.

1. Monitor for official patches or updates from the Page Keys plugin developer and apply them promptly once available. 2. Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. For multisite WordPress installations, review and harden configuration settings, particularly regarding the 'unfiltered_html' capability, to minimize exposure. 4. Implement additional input validation and output encoding at the application or web server level to mitigate injection of malicious scripts. 5. Conduct regular security audits and code reviews of installed plugins to detect similar vulnerabilities. 6. Use Web Application Firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. 7. Educate administrators on the risks of XSS and safe content management practices. 8. Consider isolating multisite environments or limiting plugin usage to reduce attack surface. 9. Maintain up-to-date backups to enable recovery in case of compromise.