CVE-2025-4589 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Bon Toolkit plugin for WordPress, specifically affecting all versions up to and including 1.3.2. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The issue lies in the 'bt-map' shortcode, which fails to adequately sanitize and escape user-supplied attributes before rendering them on web pages. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated contributor or above), no user interaction, and scope change due to impact on other users. No official patches or fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability was reserved and published in May 2025, with enrichment from CISA and Wordfence threat intelligence. The plugin’s widespread use in WordPress sites, combined with the common practice of allowing contributor-level users to add content, increases the risk of exploitation. The vulnerability’s exploitation could compromise site integrity and user trust, making timely mitigation critical.

The primary impact of CVE-2025-4589 is the compromise of confidentiality and integrity within affected WordPress sites. Exploitation allows authenticated contributors to inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement. This can damage the reputation of organizations, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts pose a significant risk. The scope of impact extends to all users who view the infected pages, increasing the potential damage. Although availability is not directly affected, the indirect consequences of trust erosion and potential regulatory penalties can be severe. Organizations relying on the Bon Toolkit plugin for critical or high-traffic websites face increased risk, especially if contributor permissions are broadly assigned. The absence of known exploits in the wild currently limits immediate widespread damage, but the medium severity score and ease of exploitation by authenticated users necessitate prompt action to prevent future attacks.

To mitigate CVE-2025-4589, organizations should first restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. Implement strict input validation and output encoding for all user-supplied data, especially within the 'bt-map' shortcode, to prevent injection of executable scripts. Site administrators should monitor and audit content submitted by contributors for suspicious code or anomalies. Until an official patch is released, consider disabling or removing the Bon Toolkit plugin if it is not essential. Employ Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable shortcode. Regularly update WordPress core and plugins to incorporate security fixes as they become available. Educate contributors about secure content submission practices and the risks of injecting scripts. Additionally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site. Finally, maintain comprehensive backups and incident response plans to quickly recover from potential compromises.