CVE-2025-3749 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Breeze Display plugin for WordPress, developed by mgyura. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically through the ‘cal_size’ parameter. Versions up to and including 1.2.3 of the plugin fail to adequately sanitize and escape this input, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious script is then stored persistently and executed whenever any user accesses the compromised page. Because the vulnerability requires authenticated access at the Contributor level, it is not exploitable by anonymous users; however, many WordPress sites allow contributors to submit content, making this a realistic threat vector. The impact of such an XSS attack includes session hijacking, privilege escalation, redirection to malicious sites, and potential compromise of user data or site integrity. No public exploits are currently known in the wild, and no patches have been released yet. The vulnerability was reserved and published in April 2025, with enrichment from CISA and Wordfence, indicating credible recognition by security authorities. The absence of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics.

For European organizations using WordPress sites with the Breeze Display plugin, this vulnerability poses a moderate risk. Stored XSS can lead to significant confidentiality breaches, such as theft of authentication cookies or personal data, especially if the site handles sensitive user information or internal communications. Integrity of site content can be compromised by injecting misleading or malicious content, damaging organizational reputation. Availability impact is generally low but could occur if injected scripts disrupt site functionality. Since exploitation requires Contributor-level access, the threat is more pronounced in environments where multiple users have content submission privileges without strict vetting. European organizations in sectors like media, education, and government, which often use WordPress for public-facing sites and allow multiple contributors, could be targeted to conduct phishing, spread malware, or conduct espionage. The lack of known exploits suggests limited immediate threat, but the vulnerability’s presence in a widely used CMS plugin means potential for future exploitation, especially as attackers develop proof-of-concept code.

1. Immediate mitigation involves restricting Contributor-level access to trusted users only, implementing strict user role management and monitoring for suspicious activity. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the ‘cal_size’ parameter. 3. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4. Regularly audit and sanitize all user-generated content, especially from contributors, to detect injected scripts. 5. Monitor logs for unusual behavior or repeated access to pages with suspicious parameters. 6. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. 7. Consider temporarily disabling or replacing the Breeze Display plugin if feasible until a patch is released. 8. Educate site administrators and contributors about the risks of XSS and safe content submission practices. These steps go beyond generic advice by focusing on access control, proactive detection, and interim protective measures specific to this plugin and vulnerability vector.