The Responsive Pricing Table plugin for WordPress, developed by spwebguy, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-15058. This vulnerability arises from improper neutralization of script-related HTML tags (CWE-80) in the 'table_currency' parameter, which is insufficiently sanitized and escaped before output. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the pricing table content. Because the injected scripts are stored persistently, they execute in the context of any user who views the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the compromised page, and the attack vector is network-based with low attack complexity. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that while the attacker needs some privileges, the impact on confidentiality and integrity is partial but significant, with no impact on availability. No official patches have been released yet, and no known exploits are reported in the wild. However, the widespread use of WordPress and the popularity of pricing table plugins make this a notable risk for websites that allow multiple contributors to edit content.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress sites, risking user data confidentiality and integrity. Attackers could hijack user sessions, deface websites, or inject malicious payloads such as phishing forms or malware delivery scripts. This is particularly concerning for organizations with public-facing websites that accept content contributions from multiple users, such as marketing teams or content creators. The compromise could damage brand reputation, lead to data breaches involving customer or employee information, and potentially violate GDPR requirements regarding data protection and breach notification. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the organization's network if internal users are targeted. The medium severity rating suggests a moderate but actionable risk that should not be ignored, especially given the ease of exploitation by authenticated users.

European organizations should immediately audit their WordPress installations to identify the presence of the Responsive Pricing Table plugin and verify its version. Since no official patches are currently available, administrators should consider the following mitigations: restrict Contributor-level and higher permissions strictly to trusted users; implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'table_currency' parameter; sanitize and validate all user inputs at the application level where possible; monitor website content for unexpected script injections; and educate content contributors about the risks of injecting untrusted content. Additionally, organizations should plan to update the plugin promptly once a patch is released. Employing Content Security Policy (CSP) headers can also help mitigate the impact of XSS by restricting script execution sources. Regular security audits and monitoring for anomalous activities on WordPress sites are recommended to detect exploitation attempts early.