CVE-2025-3661 identifies a stored Cross-Site Scripting (XSS) vulnerability within the SB Chart block plugin for WordPress, specifically related to the 'className' parameter. This vulnerability stems from insufficient input sanitization and output escaping, allowing attackers with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.2.6 of the SB Chart block plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with a network attack vector, low attack complexity, privileges required (Contributor or above), no user interaction needed, and a scope change due to the impact on other users. No public exploits have been reported yet, but the vulnerability is recognized by CISA and Wordfence, indicating credible risk. The root cause is the failure to properly neutralize input during web page generation, a classic CWE-79 issue. This vulnerability is particularly dangerous in multi-user WordPress environments where contributors can add content but are not fully trusted. Without proper patching or mitigation, attackers can leverage this to compromise site integrity and user trust.

The impact of CVE-2025-3661 is significant for organizations running WordPress sites with the vulnerable SB Chart block plugin. Exploitation allows authenticated users with relatively low privileges (Contributor or higher) to inject persistent malicious scripts, which execute in the context of other users visiting the affected pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, defacement, or distribution of malware. The vulnerability compromises the confidentiality and integrity of site data and user interactions, though it does not directly affect availability. Given WordPress's widespread use globally, especially among small to medium businesses, blogs, and content-driven sites, the scope of affected systems is broad. Attackers exploiting this vulnerability could escalate their influence within the site or pivot to further attacks. The medium CVSS score reflects the balance between the required privileges and the potential impact. Organizations that do not restrict Contributor-level access or fail to monitor plugin vulnerabilities are at higher risk.

To mitigate CVE-2025-3661, organizations should immediately update the SB Chart block plugin to a version where this vulnerability is patched once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious script injections targeting the 'className' parameter can provide temporary protection. Additionally, site owners should audit existing content for injected scripts and remove any suspicious code. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Developers maintaining the plugin should apply proper input validation and output encoding on all user-supplied data, particularly the 'className' parameter, to prevent injection. Regular security scanning and monitoring for anomalous behavior on WordPress sites using this plugin are also recommended. Finally, educating users about the risks of elevated privileges and enforcing the principle of least privilege will reduce attack surface.