CVE-2025-4586 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the IRM Newsroom plugin for WordPress, specifically in versions up to and including 1.2.17. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The flaw exists in the plugin's 'irmcalendarview' shortcode, where user-supplied attributes are insufficiently sanitized and output escaping is inadequate. This allows an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed in the context of the victim's browser session. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requiring low attack complexity, and privileges at the contributor level, but no user interaction is needed once the malicious script is injected. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. No known exploits are currently reported in the wild, and no official patches have been published as of the vulnerability disclosure date (June 13, 2025).

For European organizations using WordPress sites with the IRM Newsroom plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions and data. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to theft of authentication tokens, defacement, or unauthorized actions performed on behalf of users. This is particularly concerning for organizations relying on IRM Newsroom for publishing news or internal communications, as the injected scripts could be used to spread misinformation or conduct targeted phishing attacks. The vulnerability does not directly impact availability but can indirectly affect trust and operational continuity if exploited. Given that contributor-level access is required, the threat is more relevant in environments where multiple users have content creation privileges, such as media companies, public institutions, and corporate intranets. The scope change indicates that the impact could extend beyond the plugin itself, potentially affecting other parts of the website or integrated systems. The absence of known exploits reduces immediate risk but does not preclude future exploitation, especially as the vulnerability is publicly disclosed.

Immediately restrict contributor-level access to trusted users only until a patch is available. Implement strict input validation and output encoding on all user-supplied attributes related to the 'irmcalendarview' shortcode, possibly by deploying Web Application Firewall (WAF) rules tailored to detect and block suspicious script injections targeting this shortcode. Monitor WordPress user activity logs for unusual contributor behavior, such as unexpected shortcode usage or content modifications. Consider temporarily disabling or removing the IRM Newsroom plugin if it is not critical to operations or if a patch is not yet available. Educate content contributors about the risks of injecting untrusted content and enforce content submission guidelines. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS payloads. Regularly update WordPress core and plugins, and subscribe to vendor security advisories for timely patch deployment once available.