CVE-2025-4608 is a stored cross-site scripting vulnerability identified in the Structured Content (JSON-LD) WordPress plugin developed by codemacher. This vulnerability exists in all versions up to and including 1.6.4 and arises due to improper neutralization of user-supplied input within the sc_fs_local_business shortcode. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level access or higher. As a result, these users can inject arbitrary JavaScript code into pages generated by the plugin. When any user accesses a page containing the injected script, the malicious code executes in their browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change affecting confidentiality and integrity. No known public exploits have been reported yet. The vulnerability is significant because contributor-level users are often trusted but may be compromised or malicious, enabling persistent XSS attacks that can affect all site visitors. The lack of output escaping and input sanitization in the shortcode's handling of JSON-LD structured content is the root cause. This vulnerability highlights the importance of rigorous input validation and output encoding in WordPress plugins that handle user-generated content.

The impact of CVE-2025-4608 is primarily on the confidentiality and integrity of WordPress sites using the Structured Content plugin. Exploitation allows authenticated contributors or higher to inject persistent malicious scripts, which execute in the browsers of all visitors to the affected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions such as content modification or privilege escalation, and distribution of malware. For organizations, this can result in reputational damage, loss of user trust, data breaches, and potential regulatory penalties if user data is compromised. Since WordPress powers a significant portion of the web, including many business and government sites, the vulnerability poses a broad risk. The requirement for contributor-level access limits exploitation to insiders or compromised accounts, but such access is common in collaborative environments. The vulnerability does not affect availability directly but can indirectly cause service disruption through defacement or administrative lockout. The medium CVSS score reflects the balance between the need for authentication and the potential for widespread impact once exploited.

To mitigate CVE-2025-4608, organizations should take the following specific actions: 1) Immediately restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. 2) Disable or remove the Structured Content (JSON-LD) plugin if it is not essential to reduce attack surface. 3) Implement manual input validation and output escaping for any user-generated content handled by the plugin, especially the sc_fs_local_business shortcode, using WordPress security functions such as esc_attr() and wp_kses(). 4) Monitor web server logs and WordPress activity logs for unusual script injections or unexpected page content changes. 5) Educate content contributors about the risks of injecting untrusted content and enforce strict content submission policies. 6) Apply web application firewall (WAF) rules to detect and block common XSS payloads targeting the plugin’s shortcode parameters. 7) Stay alert for an official patch release from codemacher and apply it promptly once available. 8) Conduct regular security scans and penetration tests focusing on plugin vulnerabilities. These measures go beyond generic advice by focusing on access control, input/output handling, monitoring, and proactive risk reduction tailored to this specific vulnerability.