CVE-2025-52792 is a high-severity vulnerability affecting the WordPress plugin 'WP User Stylesheet Switcher' developed by vgstef, specifically versions up to and including 2.2.0. The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue (CWE-352) that enables an attacker to perform unauthorized actions on behalf of an authenticated user. In this case, the CSRF vulnerability facilitates a stored Cross-Site Scripting (XSS) attack, allowing malicious scripts to be injected and persist within the plugin's functionality. The CVSS 3.1 base score is 7.1, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact metrics show low confidentiality (C:L), integrity (I:L), and availability (A:L) impacts individually, but combined with scope change and exploitability, the overall severity is high. The vulnerability arises because the plugin does not adequately verify the origin of requests that alter user stylesheet settings, allowing attackers to craft malicious requests that, when executed by an authenticated user, store malicious scripts in the system. These scripts can then execute in the context of other users, potentially leading to session hijacking, privilege escalation, or further compromise of the WordPress site. No patches or known exploits in the wild have been reported as of the publication date (June 20, 2025). However, the presence of stored XSS combined with CSRF significantly raises the risk profile, especially for sites with multiple users or administrative roles. The vulnerability affects the plugin broadly, with no specific affected versions prior to 2.2.0 detailed, indicating all versions up to 2.2.0 are vulnerable. The plugin is used to allow users to switch stylesheets on WordPress sites, a feature that may be leveraged in multi-user or content-rich environments.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on WordPress sites with the WP User Stylesheet Switcher plugin installed. The stored XSS enabled by CSRF can lead to unauthorized script execution, which may compromise user sessions, leak sensitive information, or allow attackers to perform actions with the privileges of authenticated users, including administrators. This can result in data breaches, defacement, or further malware deployment. Organizations in sectors such as finance, healthcare, government, and e-commerce, which often use WordPress for public-facing or internal portals, are at heightened risk due to the potential exposure of sensitive personal or business data. The vulnerability's exploitation does not require prior authentication but does require user interaction, meaning phishing or social engineering could be used to trick users into triggering the malicious requests. The scope change in the CVSS vector indicates that the impact extends beyond the plugin itself, potentially affecting the entire WordPress site and its users. Given the widespread use of WordPress in Europe and the popularity of plugins that enhance user experience, this vulnerability could be leveraged to disrupt services, damage reputation, or facilitate further attacks within European organizations.

1. Immediate removal or deactivation of the WP User Stylesheet Switcher plugin until a security patch is released. 2. Monitor official plugin repositories and vendor communications for patch releases and apply updates promptly. 3. Implement Web Application Firewall (WAF) rules to detect and block CSRF and XSS attack patterns targeting the plugin endpoints. 4. Enforce strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on WordPress sites. 5. Educate users, especially administrators, about phishing and social engineering tactics that could trigger CSRF attacks requiring user interaction. 6. Conduct regular security audits and penetration testing focusing on WordPress plugins and user input handling. 7. Use security plugins that provide CSRF token validation and input sanitization to add an additional layer of protection. 8. Restrict user permissions to the minimum necessary to reduce the impact of compromised accounts. 9. Enable multi-factor authentication (MFA) for all WordPress user accounts to mitigate session hijacking risks. 10. Review and harden WordPress configuration to disable unnecessary features that could be exploited in conjunction with this vulnerability.