CVE-2025-15058 is a stored cross-site scripting vulnerability identified in the Responsive Pricing Table plugin for WordPress, developed by spwebguy. This vulnerability exists in all versions up to and including 5.1.12 due to improper neutralization of script-related HTML tags (CWE-80) in the 'table_currency' parameter. The flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages that utilize this plugin. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. The vulnerability stems from insufficient input sanitization and lack of output escaping, which fails to prevent malicious script tags from being saved and rendered. The CVSS 3.1 base score of 6.4 indicates a medium severity, with an attack vector over the network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change due to affecting other users. No known exploits have been reported in the wild, and no official patches are currently available, increasing the urgency for proactive mitigation. This vulnerability is particularly relevant for WordPress sites that use the Responsive Pricing Table plugin to display pricing information, commonly found in e-commerce, marketing, and service websites.

For European organizations, this vulnerability poses a risk primarily to websites running WordPress with the Responsive Pricing Table plugin installed. Exploitation can lead to unauthorized script execution in users' browsers, resulting in session hijacking, theft of sensitive information, defacement, or redirection to malicious sites. This can damage organizational reputation, lead to data breaches, and potentially violate GDPR requirements concerning data protection and breach notification. Since the attack requires authenticated Contributor-level access, insider threats or compromised accounts increase risk. Small and medium enterprises (SMEs) and organizations relying on WordPress for customer-facing sites are particularly vulnerable. The persistent nature of stored XSS means that once exploited, multiple users can be affected over time, amplifying impact. Additionally, the scope change in the CVSS vector indicates that the vulnerability affects more than just the attacker’s privileges, potentially compromising other users’ data and site integrity.

1. Immediately audit and restrict Contributor-level access on WordPress sites using the Responsive Pricing Table plugin to trusted users only. 2. Implement strict input validation and output encoding on the 'table_currency' parameter at the application level, using security libraries or WordPress security APIs to sanitize inputs and escape outputs. 3. Monitor website content for suspicious or unexpected script tags, especially in pricing table sections. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to inject script tags via the vulnerable parameter. 5. Encourage plugin developers or maintainers to release a patch and apply it promptly once available. 6. Educate site administrators and content contributors about the risks of XSS and safe content practices. 7. Regularly update WordPress core and plugins to minimize exposure to known vulnerabilities. 8. Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites.