CVE-2025-5488 is a stored cross-site scripting vulnerability identified in the WP Masonry & Infinite Scroll plugin for WordPress, maintained by kaushik07. The flaw exists in all plugin versions up to and including 2.2, due to insufficient sanitization and escaping of user input passed through the 'wmis' shortcode attributes. This improper neutralization of input (CWE-79) allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions within the context of the victim's session. The vulnerability requires network access but no user interaction beyond page viewing, and the attack complexity is low. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects that the attack can be launched remotely over the network with low complexity, requires privileges (contributor or above), does not require user interaction, and impacts confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no exploits have been reported in the wild as of the publication date (June 26, 2025).

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites using the WP Masonry & Infinite Scroll plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, performing unauthorized actions, or defacing content. This can lead to account compromise, data leakage, and erosion of user trust. Since the vulnerability does not affect availability, denial-of-service impacts are unlikely. However, the scope change means that the vulnerability can affect users beyond the initial attacker, increasing the risk profile. Organizations relying on this plugin for content presentation may face reputational damage and compliance issues if exploited. The risk is heightened in environments where contributor-level access is granted to multiple users or where administrative oversight is limited.

To mitigate CVE-2025-5488, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling or removing the WP Masonry & Infinite Scroll plugin if feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute payloads can provide interim protection. Additionally, site owners should audit existing content for injected scripts and remove any malicious code. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regular security reviews and user permission audits will reduce the attack surface. Finally, educating contributors about safe content practices and monitoring logs for unusual activity can aid early detection.