CVE-2025-4172 identifies a stored cross-site scripting vulnerability in the VerticalResponse Newsletter Widget plugin for WordPress, developed by katzwebdesign. This vulnerability exists in all versions up to and including 1.6 due to insufficient sanitization and escaping of user input passed through the plugin's 'verticalresponse' shortcode. Specifically, authenticated users with contributor-level permissions or higher can embed arbitrary JavaScript code into pages or posts via shortcode attributes. Because the malicious script is stored persistently, it executes whenever any user accesses the infected page, potentially leading to session hijacking, defacement, or unauthorized actions performed in the context of the victim's browser session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required (low), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability is publicly disclosed and enriched by CISA, indicating recognition by security authorities.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts into WordPress sites using the VerticalResponse Newsletter Widget. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and defacement of website content. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised pages, increasing the attack surface. Organizations relying on this plugin risk reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. Although availability is not directly affected, the integrity and confidentiality of site content and user interactions are at risk. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but many WordPress sites allow contributor-level roles broadly, increasing risk. The vulnerability could also be leveraged as a foothold for further attacks within the network or to distribute malware.

To mitigate this vulnerability, organizations should immediately audit their WordPress sites for the use of the VerticalResponse Newsletter Widget plugin and identify versions up to 1.6. Since no official patches are currently linked, administrators should consider temporarily disabling or removing the plugin until a fix is released. Restrict contributor-level permissions to trusted users only, and review user roles to minimize the number of accounts with such privileges. Implement web application firewalls (WAFs) with rules to detect and block suspicious shortcode attribute inputs or known XSS payload patterns. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of injected scripts. Regularly monitor site content for unauthorized changes or injected scripts. Educate site administrators and users about the risks of XSS and the importance of least privilege. Once a patch is available, promptly apply it and verify the remediation. Additionally, consider scanning the site with security tools to detect stored XSS payloads and remove them.