CVE-2025-4589 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Bon Toolkit WordPress plugin developed by nackle2k10. This vulnerability affects all versions up to and including 1.3.2. The root cause lies in improper input sanitization and insufficient output escaping of user-supplied attributes within the plugin's 'bt-map' shortcode. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages by manipulating the shortcode attributes. Once injected, this malicious script executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the level of an authenticated contributor. No user interaction is needed for exploitation, and the scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on May 15, 2025, and has been enriched by CISA, indicating recognition by authoritative cybersecurity entities.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the Bon Toolkit plugin installed. Stored XSS can lead to unauthorized actions on behalf of users, data theft, and compromise of user credentials or session tokens. This can result in defacement, loss of customer trust, and potential regulatory penalties under GDPR if personal data is exposed. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts pose a risk. Attackers could leverage this vulnerability to pivot within the organization’s web infrastructure or launch further attacks against site visitors. The medium CVSS score reflects moderate risk, but the scope change and lack of user interaction requirement increase the potential impact. Organizations with public-facing WordPress sites, especially those handling sensitive user data or e-commerce, are at higher risk.

1. Immediate mitigation involves restricting contributor-level access to trusted users only and auditing existing contributor accounts for suspicious activity. 2. Disable or remove the Bon Toolkit plugin until a security patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'bt-map' shortcode parameters. 4. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. 5. Monitor web server and application logs for unusual activity related to shortcode usage. 6. Once available, promptly apply vendor patches or updates addressing this vulnerability. 7. Educate content contributors about safe input practices and the risks of injecting untrusted content. 8. Conduct regular security assessments and penetration testing focusing on WordPress plugins and user input handling.