CVE-2025-4608 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Structured Content (JSON-LD) plugin for WordPress developed by codemacher. This vulnerability affects all versions up to and including 1.6.4 of the plugin. The root cause lies in improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied attributes in the plugin's sc_fs_local_business shortcode. An authenticated attacker with contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages via the shortcode attributes. These scripts are then stored persistently and executed in the browsers of any users who visit the compromised pages, leading to potential session hijacking, privilege escalation, or other malicious activities. The CVSS v3.1 base score is 6.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor-level access but no user interaction is needed for exploitation once the malicious content is injected. The vulnerability impacts confidentiality and integrity but not availability, and the scope is changed as the vulnerability affects resources beyond the attacker’s control once exploited. No public exploits are currently known in the wild, and no patches have been linked yet, indicating that mitigation may rely on plugin updates or manual code fixes once available.

For European organizations using WordPress sites with the Structured Content plugin, this vulnerability poses a moderate risk. Exploitation could allow attackers to execute arbitrary JavaScript in the context of the affected website, potentially leading to theft of session cookies, user credentials, or other sensitive information. This can facilitate further attacks such as account takeover or unauthorized actions on the site. Given that contributor-level access is required, insider threats or compromised accounts pose a significant risk vector. The impact is particularly relevant for organizations that rely on WordPress for public-facing websites, e-commerce, or content management, as the injected scripts could affect visitors, customers, or employees accessing the site. Additionally, GDPR considerations apply if personal data is exposed or compromised through such attacks, potentially leading to regulatory penalties. The vulnerability does not directly affect availability but can undermine trust and integrity of web content, damaging organizational reputation.

European organizations should immediately audit their WordPress installations to identify use of the Structured Content (JSON-LD) plugin and verify the version in use. Until an official patch is released, mitigation steps include: 1) Restrict contributor-level access strictly to trusted users and review existing user roles for potential abuse. 2) Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the sc_fs_local_business shortcode parameters. 3) Employ Content Security Policy (CSP) headers to limit execution of unauthorized scripts on affected sites. 4) Conduct manual code review or apply temporary input sanitization and output escaping patches if feasible. 5) Monitor website logs and user activity for signs of exploitation attempts. 6) Educate content contributors about the risks of injecting untrusted content. Once patches are available from the vendor, prioritize timely updates to the plugin. Additionally, consider isolating or disabling the shortcode if it is not essential to site functionality.