CVE-2025-3750 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Network Posts Extended plugin for WordPress, affecting all versions up to and including 7.7.1. The root cause is insufficient sanitization and escaping of the 'post_height' parameter, which is used during web page generation. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into posts or pages. Because the vulnerability is stored, the malicious script persists in the database and executes whenever any user accesses the compromised page, potentially affecting site administrators, editors, and visitors. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, requiring privileges but no user interaction, with a scope change and low impact on confidentiality and integrity, and no impact on availability. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress environments, which are prevalent globally, increasing the potential attack surface.

The exploitation of this vulnerability can lead to significant security risks for organizations running WordPress sites with the Network Posts Extended plugin. Attackers can execute arbitrary scripts in the context of other users, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions such as content manipulation or privilege escalation. This can damage organizational reputation, lead to data breaches, and compromise user trust. Since the vulnerability requires authenticated access at Contributor level or above, insider threats or compromised accounts pose a particular risk. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire WordPress site and its users. Given WordPress's extensive global usage, especially in small to medium enterprises, blogs, and content-heavy websites, the impact can be widespread if not mitigated. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure.

Organizations should immediately audit their WordPress installations to identify the presence of the Network Posts Extended plugin and verify the version in use. Since no official patch links are provided, administrators should monitor the vendor's site and trusted security advisories for updates or patches. In the interim, restricting Contributor-level user permissions and reviewing user roles can reduce the risk of exploitation. Employing Web Application Firewalls (WAFs) with rules targeting XSS payloads in the 'post_height' parameter can help block exploitation attempts. Additionally, implementing Content Security Policy (CSP) headers can mitigate the impact of injected scripts by restricting script execution sources. Regularly scanning the site for injected scripts or anomalous content is recommended. Site owners should also educate contributors about safe content practices and monitor for suspicious activity. Finally, consider disabling or replacing the vulnerable plugin with alternatives that follow secure coding practices until a patch is available.