CVE-2025-4171 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'WZ Followed Posts – Display what visitors are reading' developed by ajay. The vulnerability exists in all plugin versions up to 3.1.0 due to improper neutralization of input during web page generation, specifically within the 'wfp' shortcode. The root cause is insufficient sanitization and escaping of user-supplied attributes, allowing an authenticated attacker with contributor-level or higher privileges to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the browsers of any users who visit the affected pages, leading to potential session hijacking, credential theft, or unauthorized actions performed on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with no effect on availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and recognized by CISA enrichment. The scope is considered changed (S:C), meaning the vulnerability affects resources beyond the initially compromised component. This vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks. The absence of a patch link suggests that users must monitor vendor updates or apply manual mitigations. Given the widespread use of WordPress and the popularity of plugins, this vulnerability poses a notable risk to websites using this plugin, especially those allowing contributor-level access to untrusted users.

The impact of CVE-2025-4171 is significant for organizations running WordPress sites with the vulnerable 'WZ Followed Posts' plugin. Exploitation allows authenticated contributors or higher to inject persistent malicious scripts, which execute in the context of any visitor's browser accessing the compromised pages. This can lead to theft of session cookies, enabling account takeover or privilege escalation, unauthorized actions performed on behalf of users, and potential spread of malware or phishing attacks. Confidentiality and integrity of user data and site content are at risk, though availability is not directly affected. Since contributors can inject scripts, insider threats or compromised contributor accounts increase risk. The vulnerability could be leveraged to target site administrators or high-value users by stealing credentials or session tokens. Organizations with large user bases or sensitive data hosted on WordPress sites are particularly vulnerable. The medium CVSS score reflects that exploitation requires some privileges but is otherwise straightforward, making it a credible threat. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits following disclosure. Failure to address this vulnerability could lead to reputational damage, data breaches, and regulatory compliance issues.

To mitigate CVE-2025-4171, organizations should first check for and apply any official patches or updates released by the plugin vendor. If no patch is available, administrators should consider temporarily disabling or removing the vulnerable plugin to eliminate the attack surface. Restrict contributor-level access strictly to trusted users and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'wfp' shortcode or suspicious script injections. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Sanitize and validate all user inputs rigorously, especially those that interact with shortcodes or dynamic content generation. Monitor logs and site behavior for signs of XSS exploitation or unusual user activity. Educate site contributors about the risks of injecting untrusted content and enforce strict content moderation policies. Regularly back up site data to enable recovery in case of compromise. Finally, consider using security plugins that provide enhanced input filtering and XSS protection tailored for WordPress environments.