CVE-2025-15378 is a stored cross-site scripting vulnerability identified in the AJS Footnotes plugin for WordPress, affecting all versions up to and including 1.0. The root cause is the lack of authorization checks and nonce verification when saving plugin settings, specifically on the parameters 'note_list_class' and 'popup_display_effect_in'. These parameters are insufficiently sanitized and escaped before being stored and rendered on web pages. Because of this, an unauthenticated attacker can craft malicious input that gets saved in the plugin's settings and subsequently injected into pages viewed by other users. When a victim accesses an infected page, the malicious script executes in their browser context, potentially allowing attackers to steal cookies, perform actions on behalf of the user, or pivot to other attacks. The vulnerability is remotely exploitable over the network without any privileges or user interaction, increasing its risk profile. The CVSS 3.1 score of 7.2 reflects these factors, with a scope change indicating that the impact extends beyond the vulnerable component to the broader system. No known exploits are currently reported in the wild, but the vulnerability's characteristics make it a likely target for attackers once exploit code becomes available. The absence of patch links suggests that a fix has not yet been released, emphasizing the need for interim protective measures.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the AJS Footnotes plugin installed. Successful exploitation can lead to unauthorized script execution in users' browsers, resulting in session hijacking, credential theft, defacement, or distribution of malware. This undermines the confidentiality and integrity of user data and the availability of services if attackers leverage the vulnerability for further attacks. Public-facing websites, e-commerce platforms, and portals handling sensitive user information are particularly at risk. The vulnerability's ability to be exploited without authentication or user interaction increases the likelihood of automated attacks and widespread exploitation. This can damage organizational reputation, lead to regulatory non-compliance under GDPR due to data breaches, and incur financial losses. Additionally, the scope change in the CVSS vector indicates that the impact can extend beyond the plugin to affect the entire WordPress installation and potentially connected systems.

Immediate mitigation steps include disabling the AJS Footnotes plugin until a security patch is released. Organizations should monitor official vendor channels for updates and apply patches promptly once available. In the interim, deploying web application firewall (WAF) rules to detect and block suspicious inputs targeting the vulnerable parameters can reduce risk. Implementing strict Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing WordPress plugins for security and minimizing the use of unnecessary plugins reduces the attack surface. Organizations should also ensure that WordPress core and all plugins are kept up to date and that administrative interfaces are protected with strong authentication and IP restrictions where feasible. Conducting security awareness training for web administrators about the risks of plugin vulnerabilities and the importance of timely patching is recommended. Finally, monitoring web logs for unusual activity related to the vulnerable parameters can help detect attempted exploitation.