CVE-2025-4100 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Nautic Pages plugin for WordPress, developed by stur. This vulnerability exists in all versions up to and including version 2.0 of the plugin. The issue arises from improper neutralization of input during web page generation, specifically in the handling of the 'np_marinetraffic_map' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. The impact includes limited confidentiality and integrity loss, with no impact on availability. No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability is classified under CWE-79, which is a common web application security weakness related to improper input validation and output encoding that leads to XSS attacks.

For European organizations using WordPress sites with the Nautic Pages plugin, this vulnerability poses a significant risk of client-side script injection. Attackers with contributor-level access can embed malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. This can compromise the confidentiality and integrity of user data and site content. The impact is particularly critical for organizations that rely on WordPress for public-facing websites, internal portals, or customer interaction platforms, as it undermines user trust and can lead to reputational damage. Since the vulnerability requires authenticated access at contributor level or above, the risk is elevated in environments where user access controls are lax or where contributor accounts are shared or compromised. The lack of user interaction requirement means the attack can be fully automated once the malicious payload is stored. Although availability is not directly impacted, the indirect consequences such as blacklisting by search engines or browsers due to malicious content can affect site accessibility and business operations.

1. Immediate mitigation should focus on restricting contributor-level access to trusted users only, enforcing strong authentication and user management policies to reduce the risk of insider threats or account compromise. 2. Implement strict input validation and output encoding on all user-supplied data, especially for shortcode attributes, to prevent injection of malicious scripts. 3. Monitor and audit content created or edited by contributors for suspicious scripts or anomalies. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the 'np_marinetraffic_map' shortcode parameters. 5. Until an official patch is released, consider disabling or removing the Nautic Pages plugin if it is not essential, or restrict its usage to administrator-only roles. 6. Educate site administrators and contributors about the risks of XSS and the importance of cautious content creation. 7. Regularly update WordPress core and plugins to the latest versions once patches become available. 8. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. These measures combined will reduce the attack surface and mitigate exploitation risks.