CVE-2025-2906 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Contempo Real Estate Core plugin for WordPress, affecting all versions up to and including 3.6.3. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within shortcodes, which are a common feature in WordPress plugins to embed dynamic content. Authenticated users with contributor-level or higher permissions can exploit this flaw by injecting arbitrary JavaScript code into pages via shortcode attributes. Because the malicious script is stored persistently, it executes in the browser context of any user who views the infected page, potentially compromising session tokens, cookies, or enabling unauthorized actions on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common and dangerous web security issue. The CVSS v3.1 base score is 6.4, reflecting medium severity, with attack vector being network-based, low attack complexity, requiring privileges (contributor or higher), no user interaction, and scope changed due to impact on other users. No public exploits are currently known, but the vulnerability is significant given the widespread use of WordPress and the plugin’s role in real estate websites. The lack of a patch link indicates that a fix may not yet be released, increasing urgency for mitigation through access control and monitoring.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into website pages, which execute in the browsers of visitors and other users. This can lead to theft of authentication cookies, session hijacking, defacement, or redirection to malicious sites. For organizations, this undermines user trust, risks data confidentiality, and can lead to unauthorized actions performed under legitimate user sessions. Since the vulnerability affects a plugin used in real estate websites, which often handle sensitive client information and financial data, the risk is amplified. The scope includes all users who visit compromised pages, potentially including administrators if they view affected content. Although no known exploits exist yet, the ease of exploitation by authenticated contributors and the persistent nature of the attack make it a significant threat. The medium CVSS score reflects moderate impact on confidentiality and integrity, with no direct availability impact.

Organizations should immediately audit their WordPress installations to identify the presence of the Contempo Real Estate Core plugin and its version. Until an official patch is released, restrict contributor-level permissions to trusted users only, or temporarily disable the plugin if feasible. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs that may contain script tags or event handlers. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly monitor website content for unauthorized changes or injected scripts. Educate contributors about safe input practices and the risks of injecting untrusted content. Once a patch is available, apply it promptly. Additionally, conduct thorough security reviews of all plugins and limit plugin usage to those from trusted sources with active maintenance.