CVE-2025-4099 is a stored Cross-Site Scripting (XSS) vulnerability affecting the List Children plugin for WordPress, developed by theandystratton. This vulnerability exists in all versions up to and including 2.1 of the plugin. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'list_children' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the vulnerability is stored, the malicious script persists in the website's content and executes whenever any user accesses the compromised page. The CVSS 3.1 base score is 6.4, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reveals that the attack can be performed remotely over the network without user interaction, requires low complexity, and needs privileges equivalent to contributor access. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. The impact includes limited confidentiality and integrity loss but no availability impact. No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability falls under CWE-79, which is a common web application security weakness related to improper neutralization of input during web page generation, leading to XSS attacks.

For European organizations using WordPress sites with the List Children plugin, this vulnerability poses a significant risk of persistent XSS attacks. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. This can compromise the confidentiality and integrity of user data and site content. Organizations in sectors such as e-commerce, government, healthcare, and media, which often rely on WordPress for content management, may face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The scope change in the CVSS vector indicates that the vulnerability could affect multiple components or users beyond the initial plugin context, increasing the potential impact. Although no exploits are known in the wild yet, the ease of exploitation and the common use of WordPress in Europe make this a credible threat. The absence of required user interaction means that any visitor to an infected page is at risk, amplifying the potential damage.

1. Immediate mitigation should involve restricting contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2. Administrators should audit all content generated via the 'list_children' shortcode for suspicious or unexpected scripts and remove any malicious code manually if patches are not yet available. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block typical XSS payloads targeting the List Children shortcode parameters. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and scripts from untrusted sources, reducing the impact of any injected scripts. 5. Monitor WordPress plugin updates closely and apply patches as soon as they are released by the vendor. 6. Consider temporarily disabling or replacing the List Children plugin with alternative plugins that do not have this vulnerability until a fix is available. 7. Conduct regular security scans focusing on stored XSS vulnerabilities and review user roles and permissions to ensure the principle of least privilege is enforced. 8. Educate content contributors about safe input practices and the risks of injecting untrusted content.