CVE-2025-4220 identifies a stored cross-site scripting (XSS) vulnerability in the Xavin's List Subpages plugin for WordPress, specifically in the 'xls' shortcode functionality. The root cause is insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or unauthorized actions within the context of the victim's browser session. The vulnerability affects all versions up to and including 1.3 of the plugin. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges (contributor or higher), no user interaction, and a scope change due to affecting other users. Confidentiality and integrity impacts are low, while availability is unaffected. No patches are currently available, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, highlighting improper neutralization of input during web page generation. The plugin's widespread use in WordPress sites makes this a notable risk, especially for sites allowing contributor-level access to untrusted users.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, including administrators and other privileged users. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of victims, and defacement of site content. Although availability is not directly impacted, the reputational damage and trust erosion can be significant. Organizations relying on the Xavin's List Subpages plugin risk exposure to targeted attacks, especially if contributor accounts are compromised or granted to untrusted users. The scope of affected systems is broad given WordPress's global popularity, and the vulnerability's exploitation does not require user interaction, increasing risk. However, the need for contributor-level privileges limits exploitation to insiders or compromised accounts rather than anonymous attackers.

To mitigate this vulnerability, organizations should immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious input injection. Site administrators should monitor and audit contributor activities for suspicious shortcode usage or unexpected content changes. Until an official patch is released, applying manual input sanitization and output escaping in the plugin's shortcode processing code can reduce risk. Employing Web Application Firewalls (WAFs) with custom rules to detect and block malicious script patterns in shortcode attributes can provide additional protection. Regularly updating WordPress core and plugins, and subscribing to security advisories for this plugin, will ensure timely patching once available. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Finally, educating contributors about safe content practices and monitoring site logs for unusual behavior are important operational controls.