CVE-2025-15378 is a stored Cross-Site Scripting (XSS) vulnerability identified in the AJS Footnotes plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability stems from two main issues: first, the plugin lacks proper authorization and nonce verification when saving settings, allowing unauthenticated attackers to modify plugin configurations. Second, it fails to adequately sanitize and escape user-supplied input in the 'note_list_class' and 'popup_display_effect_in' parameters. These weaknesses enable attackers to inject malicious JavaScript code into plugin settings, which is then stored persistently and executed in the browsers of any users who visit pages rendering the compromised footnotes. The vulnerability does not require authentication or user interaction, increasing its exploitation potential. The CVSS 3.1 score of 7.2 reflects a high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact includes potential theft of cookies, session tokens, or other sensitive information, as well as the ability to perform actions on behalf of users. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk for WordPress sites using this plugin. The absence of patches at the time of publication necessitates immediate mitigation efforts by site administrators.

For European organizations, this vulnerability poses a substantial risk to the confidentiality and integrity of user data on WordPress sites employing the AJS Footnotes plugin. Exploitation could lead to session hijacking, credential theft, or unauthorized actions performed in the context of authenticated users, potentially compromising sensitive business or customer information. Given the widespread use of WordPress across Europe, including in government, education, and commercial sectors, the vulnerability could facilitate targeted attacks against high-value entities. The persistent nature of stored XSS increases the likelihood of widespread impact once exploited. Additionally, the vulnerability could be leveraged to distribute malware or conduct phishing campaigns by injecting malicious scripts into trusted websites. The lack of authentication requirements lowers the barrier for attackers, increasing the threat landscape. Organizations may face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions if exploited.

Organizations should immediately audit their WordPress installations to identify the presence of the AJS Footnotes plugin. If found, and no official patch is available, the plugin should be disabled or removed to eliminate the attack surface. Administrators should implement strict input validation and output encoding practices for any custom or third-party plugins to prevent similar vulnerabilities. Employing a Web Application Firewall (WAF) with rules to detect and block XSS payloads can provide an additional layer of defense. Monitoring web server and application logs for unusual parameter changes or suspicious requests targeting the vulnerable parameters is critical. Regularly updating WordPress core, themes, and plugins is essential once patches become available. Educating site administrators about the risks of installing unverified plugins and enforcing the principle of least privilege for plugin management can reduce future exposure. Finally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites.