CVE-2025-4055 is a stored cross-site scripting (XSS) vulnerability identified in the Multiple Post Type Order plugin for WordPress, maintained by josj404. The vulnerability affects all versions up to and including 1.10.0. It stems from insufficient sanitization and escaping of user-supplied input within the plugin's 'mpto' shortcode attributes. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim’s browser session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security weakness. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (May 7, 2025).

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites. An attacker with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors or administrators, enabling session hijacking, credential theft, or unauthorized actions performed with the victim’s privileges. This can lead to account takeover, data leakage, defacement, or further compromise of the website. Since WordPress powers a significant portion of the web, and the Multiple Post Type Order plugin is used to customize post ordering, many organizations relying on this plugin could be at risk. The vulnerability does not affect availability directly but can undermine trust and lead to reputational damage. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but contributor-level access is relatively low privilege, increasing the risk. The scope change indicates that the vulnerability can affect resources beyond the attacker’s privileges, potentially impacting other users.

Organizations should immediately audit their WordPress installations for the presence of the Multiple Post Type Order plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. If removal is not feasible, restrict contributor-level and higher privileges to trusted users only, and monitor for suspicious activity. Implement web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'mpto' shortcode parameters. Additionally, enforce strict content security policies (CSP) to limit the execution of unauthorized scripts. Site owners should also review and sanitize existing content that may have been injected with malicious scripts. Regularly update WordPress core and plugins once patches become available. Finally, educate content contributors about the risks of injecting untrusted input and enforce least privilege principles to minimize the number of users with contributor or higher access.