CVE-2025-23864 identifies a Stored Cross-site Scripting (XSS) vulnerability in the Luke America WCS QR Code Generator plugin, specifically versions up to 1.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be injected and stored persistently within the application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially compromising session cookies, redirecting users to malicious sites, or performing unauthorized actions on their behalf. Stored XSS is particularly dangerous because the payload is saved on the server and delivered to multiple users, increasing the attack surface. The plugin is commonly used in WordPress environments to generate QR codes, making it a target in websites that rely on this functionality. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. However, the vulnerability's nature suggests a high risk if exploited. The lack of patches at the time of publication means organizations must implement interim controls. The vulnerability was publicly disclosed on January 16, 2025, by Patchstack, which assigned the CVE. The absence of patch links indicates that a fix may not yet be available, emphasizing the need for immediate mitigation.

If exploited, this Stored XSS vulnerability can severely impact organizations by compromising user confidentiality and integrity. Attackers can steal session tokens, enabling account takeover, or inject malicious scripts that perform unauthorized actions, potentially leading to data breaches or defacement. The persistent nature of the vulnerability means multiple users can be affected over time, increasing the scope of impact. For organizations relying on the WCS QR Code Generator plugin, this can undermine trust and lead to reputational damage. Additionally, attackers could use the vulnerability as a foothold for further attacks within the network. The lack of authentication requirements lowers the barrier for exploitation, making it accessible to remote attackers. The vulnerability does not directly affect availability but can indirectly cause service disruptions through exploitation consequences. Overall, the threat poses a high risk to organizations using the affected plugin, especially those handling sensitive user data or operating in regulated industries.

Organizations should immediately audit their use of the Luke America WCS QR Code Generator plugin and disable it if possible until a patch is available. Implement strict input validation and sanitization on all user-supplied data fields related to QR code generation to prevent malicious script injection. Employ output encoding techniques, such as HTML entity encoding, to neutralize any potentially harmful content before rendering it in web pages. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web server and application logs for unusual input patterns or repeated attempts to inject scripts. Educate developers and administrators about secure coding practices to prevent similar vulnerabilities. If feasible, isolate the plugin's functionality in a sandboxed environment to limit the impact of potential exploitation. Stay updated with vendor announcements and apply patches promptly once released. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads as an additional protective layer.