CVE-2025-4584 is a stored cross-site scripting vulnerability identified in the irmau IRM Newsroom plugin for WordPress, present in all versions up to and including 1.2.17. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'irmeventlist' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time the affected page is accessed by any user, including administrators. The attack vector is remote over the network, with low complexity and no user interaction required, but it does require authenticated access with contributor or higher privileges. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser. Availability is not directly impacted. The CVSS 3.1 score of 6.4 reflects these factors, with a scope change due to the potential for privilege escalation or lateral movement within the site. No patches or official fixes are currently listed, and no known exploits have been reported in the wild. However, the vulnerability is significant for WordPress sites using this plugin, especially those with multiple contributors or less stringent access controls.

The primary impact of CVE-2025-4584 is the compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of authentication tokens, defacement of website content, and unauthorized actions performed with the privileges of the victim user. For organizations, this can result in data breaches, loss of user trust, reputational damage, and potential regulatory penalties if sensitive data is exposed. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts are the most likely vectors. The scope of impact can extend beyond the initial site if attackers leverage the vulnerability to escalate privileges or pivot to other systems. Given the widespread use of WordPress globally, sites using the IRM Newsroom plugin are at risk, especially those with multiple contributors and insufficient access controls. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability remains a significant risk if left unmitigated.

To mitigate CVE-2025-4584, organizations should first check for updates or patches from the irmau plugin developers and apply them promptly once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with custom rules to detect and block malicious script payloads in the 'irmeventlist' shortcode parameters can provide interim protection. Additionally, site owners should enforce strict input validation and output escaping at the application level, potentially by customizing the plugin code to sanitize user inputs properly. Regular security audits and monitoring for unusual behavior or injected scripts on pages using the shortcode are recommended. Employing Content Security Policy (CSP) headers can help mitigate the impact of any injected scripts by restricting script execution sources. Finally, educating contributors about secure content practices and monitoring user privileges can reduce the risk of exploitation.