CVE-2025-54746 is a medium severity vulnerability classified under CWE-79, which pertains to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the 'Shortcode Redirect' component of the cartpauj project, specifically versions up to 1.0.02. The flaw allows for Stored XSS attacks, where malicious scripts injected by an attacker are permanently stored on the target server and executed in the context of users who access the affected pages. The vulnerability arises due to insufficient sanitization or encoding of user-supplied input before it is embedded into web pages, enabling attackers to inject arbitrary JavaScript code. According to the CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L), the attack can be launched remotely over the network with low attack complexity, requires privileges (PR:L) and user interaction (UI:R), and results in a changed security scope (S:C). The impact includes partial confidentiality, integrity, and availability losses, as the injected scripts can steal sensitive data, manipulate page content, or disrupt service. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was reserved on July 28, 2025, and published on August 14, 2025.

For European organizations using the cartpauj Shortcode Redirect plugin, this vulnerability poses a risk of persistent XSS attacks that can compromise user sessions, steal credentials, or perform unauthorized actions on behalf of users. This is particularly concerning for e-commerce, government, and financial websites where trust and data integrity are paramount. Exploitation could lead to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and potential financial losses. The requirement for some privileges and user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments with multiple user roles or where social engineering can be employed. The cross-site scripting can also be leveraged to bypass same-origin policies, potentially escalating attacks to more severe compromises.

European organizations should immediately audit their use of the cartpauj Shortcode Redirect plugin and identify affected versions. Until an official patch is released, mitigation should include: 1) Implementing strict input validation and output encoding on all user-supplied data within the shortcode context to neutralize malicious scripts. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce XSS impact. 3) Limit user privileges to the minimum necessary to reduce the risk posed by PR:L requirement. 4) Educate users about phishing and social engineering risks to mitigate UI:R dependency. 5) Monitor web application logs for unusual input patterns or script injections. 6) Consider disabling or replacing the vulnerable shortcode functionality if feasible. 7) Stay alert for official patches or updates from the vendor and apply them promptly once available.