CVE-2025-4590 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Daisycon prijsvergelijkers plugin for WordPress, specifically in the 'daisycon_uitvaart' shortcode. This vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored, they execute every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability affects all versions up to and including 4.8.4. The CVSS 3.1 score of 6.4 reflects a medium severity with a network attack vector, low attack complexity, and privileges required at the contributor level, but no user interaction is needed for exploitation. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. No public exploits have been reported yet, but the vulnerability poses a significant risk in environments where multiple users have contributor or higher access. The plugin is commonly used in affiliate marketing and price comparison contexts, making websites that rely on it attractive targets for attackers seeking to compromise visitor trust or perform phishing attacks. The vulnerability highlights the importance of proper input validation and output encoding in WordPress shortcode implementations to prevent XSS attacks.

The impact of CVE-2025-4590 is primarily on confidentiality and integrity. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of any user visiting the compromised pages, including administrators and site editors. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. While availability is not directly affected, the reputational damage and potential data breaches can be severe. Organizations relying on the Daisycon prijsvergelijkers plugin for affiliate marketing or price comparison may suffer loss of user trust, regulatory penalties if personal data is compromised, and operational disruptions. Since exploitation requires contributor-level privileges, the threat is elevated in environments with weak access controls or compromised user accounts. The scope change in the CVSS vector indicates that the vulnerability can impact resources beyond the plugin itself, potentially affecting the entire website and its users. Given the widespread use of WordPress and the plugin in e-commerce and affiliate sectors, the threat has a broad potential impact globally.

1. Immediately audit user roles and permissions to ensure that only trusted users have contributor-level or higher access. Limit contributor privileges where possible. 2. Monitor and review all uses of the 'daisycon_uitvaart' shortcode in site content for suspicious or unauthorized modifications. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting this shortcode. 4. Apply output encoding and input validation at the application level if custom modifications are possible, sanitizing all user-supplied attributes before rendering. 5. Stay updated with the plugin vendor’s announcements and apply patches or updates as soon as they become available. 6. Educate site administrators and content contributors about the risks of XSS and safe content practices. 7. Consider temporarily disabling or replacing the Daisycon prijsvergelijkers plugin if immediate patching is not feasible. 8. Conduct regular security scans and penetration tests focusing on shortcode injection points. 9. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 10. Maintain robust logging and alerting to detect unusual activity related to shortcode usage or user privilege escalations.