CVE-2025-4666 is a stored cross-site scripting vulnerability identified in the Zotpress plugin for WordPress, maintained by kseaborn. This vulnerability affects all versions up to and including 7.3.15. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'nickname' parameter. An attacker with authenticated Author-level access or higher can inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability does not require user interaction to trigger once the page is loaded. The CVSS v3.1 base score is 6.4, indicating a medium severity level, with an attack vector over the network, low attack complexity, privileges required at the Author level, no user interaction needed, and a scope change affecting confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of available patches at the time of disclosure necessitates interim mitigations.

The impact of CVE-2025-4666 is significant for organizations using the Zotpress plugin on WordPress sites, especially those with multiple users having Author-level or higher privileges. Exploitation can lead to unauthorized script execution in the browsers of site visitors and administrators, resulting in session hijacking, theft of sensitive information such as authentication tokens, defacement of web content, or unauthorized actions performed with the victim’s privileges. This can undermine the confidentiality and integrity of the affected websites and user data. Since WordPress powers a large portion of websites globally, including many academic, research, and content management sites that may use Zotpress for citation management, the potential attack surface is broad. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but insider threats or compromised credentials are common attack vectors. The vulnerability could also be leveraged as a foothold for further attacks within an organization’s network or to spread malware to site visitors.

To mitigate CVE-2025-4666, organizations should first check for and apply any official patches or updates from the Zotpress plugin vendor as soon as they become available. Until a patch is released, the following specific mitigations are recommended: 1) Restrict Author-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2) Implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'nickname' parameter. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 4) Conduct regular audits of user-generated content for injected scripts or suspicious code. 5) Educate site administrators and users about the risks of privilege escalation and the importance of strong authentication controls. 6) Consider temporarily disabling or limiting the use of the Zotpress plugin if feasible until a secure version is available. 7) Monitor logs for unusual activity related to user input or page rendering that could indicate exploitation attempts.