CVE-2025-15522 is a stored cross-site scripting vulnerability identified in the Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress. This plugin facilitates automation and integration workflows, including Discord user mappings via the automator_discord_user_mapping shortcode. The vulnerability stems from insufficient sanitization and escaping of the verified_message parameter, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When a user with a verified Discord account accesses such a page, the malicious script executes in their browser context. The vulnerability affects all plugin versions up to and including 6.10.0.2. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and a scope change. The impact includes potential theft of session cookies, unauthorized actions performed on behalf of users, and possible further exploitation of the affected WordPress site. No known public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin and the ease of exploitation by authenticated users make it a significant risk. The plugin’s widespread use in WordPress environments that integrate Discord services increases the attack surface. The vulnerability was published in January 2026, and no official patches are listed, indicating the need for immediate attention from site administrators.

The vulnerability allows attackers with Contributor-level access to inject persistent malicious scripts that execute in the context of users with verified Discord accounts. This can lead to session hijacking, credential theft, unauthorized actions on the WordPress site, and potential lateral movement within the environment. Organizations relying on this plugin for automation and Discord integration risk compromise of user accounts and data leakage. Since WordPress powers a significant portion of the web, including many business and community sites, the impact can be widespread. Attackers could leverage this vulnerability to target high-value users or administrators, potentially escalating privileges or deploying further malware. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the initially compromised component, increasing overall risk. Although no exploits are currently known in the wild, the medium severity and ease of exploitation by authenticated users make this a credible threat that could be weaponized quickly.

1. Immediately update the Uncanny Automator plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 3. Implement strict input validation and output encoding on the verified_message parameter within the plugin’s shortcode if custom modifications are possible. 4. Use Web Application Firewalls (WAFs) with rules to detect and block suspicious script injection attempts targeting this parameter. 5. Monitor logs for unusual activity related to the automator_discord_user_mapping shortcode and user interactions involving verified Discord accounts. 6. Educate site administrators and users about the risks of XSS and encourage the use of security plugins that can help detect and mitigate XSS attacks. 7. Consider disabling or limiting the use of the affected shortcode if it is not essential to site functionality. 8. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and user permission configurations.