CVE-2025-5541 is a stored cross-site scripting vulnerability identified in the frold Runners Log plugin for WordPress, affecting all versions up to and including 3.9.2. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the plugin's 'runnerslog' shortcode. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages by manipulating shortcode attributes. These malicious scripts are stored persistently and executed in the context of any user who accesses the compromised page, potentially allowing attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or deliver further payloads. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity, but requires authenticated access with contributor or higher privileges. The CVSS v3.1 score of 6.4 reflects the medium severity, with partial confidentiality and integrity impacts but no availability impact. No patches or fixes are currently linked, and no known exploits are reported in the wild. Given the popularity of WordPress and the common use of plugins like Runners Log for managing running logs or similar content, this vulnerability poses a tangible risk to websites using this plugin. The vulnerability's scope is limited to sites where the plugin is installed and contributor-level access is granted, but the potential for privilege escalation or further exploitation exists if combined with other vulnerabilities or social engineering.

The primary impact of CVE-2025-5541 is the compromise of confidentiality and integrity on affected WordPress sites. Attackers can execute arbitrary JavaScript in the context of site visitors, potentially stealing session cookies, redirecting users to malicious sites, defacing content, or performing unauthorized actions on behalf of users with elevated privileges. This can lead to account takeover, data leakage, and reputational damage. Since the vulnerability requires contributor-level access, the risk is higher in environments where contributor accounts are common or where account credentials may be compromised. The stored nature of the XSS means the malicious payload persists and affects all users who visit the infected page, increasing the attack's reach. Although availability is not directly impacted, the indirect effects of exploitation, such as site defacement or blacklisting by search engines, can disrupt normal operations. Organizations relying on the Runners Log plugin for community or user-generated content are particularly at risk, as attackers can leverage this vulnerability to escalate privileges or move laterally within the site. The medium CVSS score reflects a moderate but actionable threat that should be addressed promptly to prevent exploitation.

To mitigate CVE-2025-5541, organizations should first check for updates or patches from the frold plugin developers and apply them immediately once available. In the absence of official patches, administrators should consider temporarily disabling the Runners Log plugin to prevent exploitation. Restrict contributor-level access strictly to trusted users and audit existing accounts for suspicious activity. Implement Web Application Firewall (WAF) rules that detect and block malicious scripts or unusual shortcode attribute patterns targeting the 'runnerslog' shortcode. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly sanitize and validate all user inputs on the site, especially those that interact with shortcodes or dynamic content generation. Monitor site logs and user activity for signs of exploitation attempts or unusual behavior. Educate contributors about the risks of uploading or embedding untrusted content. Finally, consider using security plugins that provide XSS protection and scanning capabilities to detect stored XSS payloads.