CVE-2025-15378 is a stored Cross-Site Scripting (XSS) vulnerability identified in the AJS Footnotes plugin for WordPress, which is widely used to add footnotes functionality to WordPress sites. The vulnerability affects all versions up to and including 1.0. The root cause is the lack of authorization checks and nonce verification during the saving of plugin settings, specifically for the 'note_list_class' and 'popup_display_effect_in' parameters. This absence of proper access control allows unauthenticated attackers to modify plugin settings. Additionally, the plugin fails to properly sanitize user input and escape output when rendering these parameters on web pages. As a result, attackers can inject malicious JavaScript code that is stored persistently and executed in the browsers of any users who visit the compromised pages. The vulnerability has a CVSS 3.1 base score of 7.2, reflecting its high severity, with an attack vector of network, no privileges required, no user interaction needed, and a scope change indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact includes partial loss of confidentiality and integrity, as attackers can steal cookies, session tokens, or perform actions on behalf of users. No patches or official fixes are currently available, and no known exploits have been reported in the wild. The vulnerability was published on January 14, 2026, and was assigned by Wordfence. Given the nature of WordPress plugins and their widespread use, this vulnerability poses a significant risk to many websites that have not updated or removed the affected plugin.

The impact of CVE-2025-15378 is significant for organizations running WordPress sites with the AJS Footnotes plugin installed. Successful exploitation allows unauthenticated attackers to inject persistent malicious scripts that execute in the context of any user visiting the affected pages. This can lead to theft of sensitive information such as authentication cookies, enabling session hijacking, unauthorized actions on behalf of users, defacement, or distribution of malware. The compromise of user accounts and site integrity can damage organizational reputation, lead to data breaches, and cause regulatory compliance issues. Since the vulnerability requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of exploitation. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the plugin itself, potentially impacting other parts of the website or user data. Although no known exploits are currently reported, the ease of exploitation and high impact make this a critical risk for affected sites worldwide.

To mitigate CVE-2025-15378, organizations should immediately assess their WordPress installations for the presence of the AJS Footnotes plugin. If found, they should remove or disable the plugin until a secure patched version is released. Since no patches are currently available, manual mitigation steps include implementing strict input validation and sanitization for the affected parameters ('note_list_class' and 'popup_display_effect_in') within the plugin code, ensuring all user inputs are properly escaped before output. Additionally, adding nonce verification and authorization checks on settings save operations is critical to prevent unauthorized modifications. Web application firewalls (WAFs) can be configured to detect and block suspicious payloads targeting these parameters. Monitoring web server logs for unusual requests to plugin settings endpoints can help identify exploitation attempts. Organizations should also educate site administrators on the risks of installing unverified plugins and enforce least privilege principles for WordPress user roles. Regular backups and incident response plans should be in place to recover quickly from potential compromises.