CVE-2025-4666 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Zotpress plugin for WordPress, developed by kseaborn. This vulnerability exists in all versions up to and including 7.3.15 due to improper input sanitization and output escaping of the 'nickname' parameter. Specifically, authenticated users with Author-level privileges or higher can inject arbitrary JavaScript code into pages generated by the plugin. When other users access these compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based (remote), requires low attack complexity, but does require privileges (Author or above) and does not require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. No known exploits in the wild have been reported as of the publication date (June 11, 2025), and no official patches have been linked yet. The vulnerability's impact is primarily on confidentiality and integrity, with no direct effect on availability.

For European organizations using WordPress sites with the Zotpress plugin, this vulnerability poses a significant risk, especially for those allowing multiple authors or contributors with Author-level access. An attacker exploiting this flaw could inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, redirecting users to phishing sites, or performing actions on behalf of legitimate users. This can lead to data breaches, reputational damage, and unauthorized access to sensitive information. Given the widespread use of WordPress and the popularity of Zotpress for managing bibliographic references, academic institutions, research organizations, and publishing entities in Europe are particularly at risk. The vulnerability's exploitation could facilitate lateral movement within networks if administrative users are targeted, increasing the risk of broader compromise. Additionally, the cross-site scripting nature of the vulnerability can be leveraged to bypass security controls such as Content Security Policy (CSP) if not properly configured, further amplifying the threat.

European organizations should immediately audit their WordPress installations to identify the presence and version of the Zotpress plugin. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict Author-level privileges strictly to trusted users and review user roles to minimize the number of users with such access. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'nickname' parameter or other plugin inputs. 3) Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the domains from which scripts can be loaded, mitigating the impact of injected scripts. 4) Monitor logs for unusual activities related to plugin usage and user input submissions. 5) Consider temporarily disabling or removing the Zotpress plugin if it is not critical to operations until a patch is available. 6) Educate site administrators and users about the risks of XSS and encourage prompt reporting of suspicious site behavior. 7) Once a patch is released, apply it promptly and verify that input sanitization and output escaping are correctly implemented.