CVE-2025-5235 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the OpenSheetMusicDisplay plugin for WordPress, affecting all versions up to and including 1.4.0. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'className' parameter. Due to insufficient input sanitization and lack of proper output escaping, authenticated users with Contributor-level access or higher can inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the level of authenticated Contributor or above, but does not require user interaction for exploitation. The scope is changed, meaning the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the confidentiality and integrity of user data and site content. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress sites with the OpenSheetMusicDisplay plugin, this vulnerability poses a significant risk to website integrity and user trust. Exploitation could allow attackers to execute malicious scripts that steal session cookies, deface content, or redirect visitors to phishing or malware sites. This can lead to data breaches, reputational damage, and potential regulatory non-compliance under GDPR if personal data is compromised. Since the attack requires authenticated Contributor-level access, insider threats or compromised accounts pose a realistic risk vector. The vulnerability's ability to affect multiple users and potentially escalate impact across site components increases the threat surface. Organizations relying on WordPress for public-facing or internal portals that include this plugin are at risk of persistent XSS attacks that can undermine website security and user privacy.

European organizations should immediately audit their WordPress installations to identify the presence of the OpenSheetMusicDisplay plugin and verify the version in use. Until an official patch is released, administrators should restrict Contributor-level access to trusted users only and consider temporarily disabling or removing the plugin if feasible. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious script injections targeting the 'className' parameter can provide interim protection. Additionally, applying Content Security Policy (CSP) headers to restrict script execution sources can mitigate the impact of injected scripts. Regularly monitoring logs for unusual activity related to page content changes or script injections is recommended. Once a patch is available, prompt updating of the plugin is critical. Educating content contributors about the risks and enforcing strong authentication measures (e.g., MFA) will reduce the likelihood of account compromise.