CVE-2025-4611 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Slim SEO – Fast & Automated WordPress SEO Plugin, developed by rilwis. This plugin is widely used to automate SEO tasks within WordPress sites. The vulnerability affects all versions up to and including 4.5.3. The root cause is insufficient sanitization and escaping of user-supplied input in the plugin's slim_seo_breadcrumbs shortcode attributes. Specifically, authenticated users with contributor-level privileges or higher can inject arbitrary JavaScript code into pages via this shortcode. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No known exploits are reported in the wild yet. The vulnerability requires authenticated access but no user interaction, making it a significant risk in environments with multiple contributors or editors. The persistent nature of the XSS increases the attack surface, as any visitor to the infected page can be affected. This vulnerability highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those that process shortcode attributes.

For European organizations using WordPress sites with the Slim SEO plugin, this vulnerability poses a moderate risk. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to theft of session cookies, defacement, or distribution of malware. This can damage brand reputation, lead to data breaches, and violate GDPR requirements concerning personal data protection. Organizations with collaborative content management workflows are particularly vulnerable since contributors often have the required privileges. The vulnerability could be exploited to target customers or employees visiting the site, enabling phishing or credential theft. While the vulnerability does not directly impact availability, the reputational and data confidentiality consequences can be severe. Additionally, the scope change in the CVSS vector indicates that the vulnerability affects components beyond the initially compromised privilege level, increasing the overall risk. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the potential impact is significant if not mitigated promptly.

1. Immediate upgrade: Organizations should update the Slim SEO plugin to the latest version once a patch is released. Since no patch links are currently available, monitoring vendor advisories is critical. 2. Privilege review: Limit contributor-level access to trusted users only and audit existing user roles to minimize the risk of malicious input injection. 3. Input sanitization: Implement additional server-side input validation and output escaping for shortcode attributes if custom code or overrides are used. 4. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block suspicious script injections targeting the slim_seo_breadcrumbs shortcode. 5. Content Security Policy (CSP): Enforce strict CSP headers to restrict execution of unauthorized scripts in browsers. 6. Monitoring and logging: Enable detailed logging of shortcode usage and user input to detect anomalous behavior. 7. User awareness: Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. 8. Backup and recovery: Maintain regular backups of website content to enable quick restoration if exploitation occurs.