CVE-2025-3749 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting the Breeze Display plugin for WordPress, versions up to and including 1.2.3. The vulnerability stems from insufficient sanitization and escaping of the 'cal_size' parameter during web page generation. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages rendered by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change due to impact on other users. No public exploits have been reported yet, but the vulnerability is significant because Contributor-level access is commonly granted in WordPress environments, and stored XSS can have persistent and widespread effects. The plugin is widely used in WordPress sites for displaying calendar or event information, making the attack surface considerable. The vulnerability was reserved on April 16, 2025, and published on April 24, 2025, with enrichment from CISA, indicating recognition by US cybersecurity authorities.

The primary impact of CVE-2025-3749 is the compromise of confidentiality and integrity of user data on affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users’ browsers, potentially leading to session hijacking, theft of authentication tokens, defacement, or unauthorized actions performed with victim privileges. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the injected page, increasing the scope of impact. Although availability is not directly affected, the reputational damage and potential data breaches can have severe consequences for organizations. Attackers with Contributor-level access can leverage this vulnerability to escalate privileges or conduct further attacks within the site or network. Organizations relying on Breeze Display for event or calendar display functionality face risks of user trust erosion, regulatory non-compliance if user data is exposed, and potential financial losses from exploitation. The medium CVSS score reflects the need for timely remediation but also indicates that exploitation requires some level of authentication, limiting immediate widespread exploitation.

1. Apply official patches or updates from the Breeze Display plugin vendor as soon as they become available to address the input sanitization and output escaping flaws. 2. Until patches are released, restrict Contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious payloads targeting the 'cal_size' parameter or typical XSS attack patterns. 4. Conduct regular security audits and code reviews of WordPress plugins, especially those handling user input and page rendering. 5. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Educate site administrators and content contributors about the risks of XSS and safe content practices. 7. Monitor logs for unusual activities related to the plugin or user input fields. 8. Consider disabling or replacing the Breeze Display plugin if immediate patching is not feasible and the risk is unacceptable. 9. Use security plugins that sanitize user inputs and outputs as an additional layer of defense.