CVE-2025-5541 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Runners Log plugin for WordPress, developed by frold. This vulnerability exists in all versions up to and including 3.9.2 due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'runnerslog' shortcode. An authenticated attacker with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low, while availability is unaffected. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability falls under CWE-79, which is a common web application security weakness related to improper input validation leading to XSS.

For European organizations using WordPress sites with the Runners Log plugin installed, this vulnerability poses a significant risk, especially for sites that allow contributor-level users to add or modify content. Exploitation could lead to unauthorized script execution in the context of site visitors or administrators, potentially resulting in theft of authentication cookies, defacement, or redirection to malicious sites. This could damage organizational reputation, lead to data breaches, or facilitate further attacks such as privilege escalation or lateral movement within the network. Given the widespread use of WordPress in Europe across various sectors including media, education, and small to medium enterprises, the impact could be broad. Organizations with strict data protection requirements under GDPR must be particularly cautious, as exploitation could lead to personal data exposure and regulatory penalties. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

Organizations should immediately audit their WordPress installations to identify the presence of the Runners Log plugin and verify the version in use. Until an official patch is released, it is advisable to disable or remove the plugin if it is not essential. For sites that require the plugin, restrict contributor-level access strictly and review user roles and permissions to minimize the number of users who can inject content. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the 'runnerslog' shortcode parameters. Additionally, enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs for unusual activity related to the plugin and educate content contributors about safe input practices. Once a patch becomes available, prioritize its deployment. Finally, consider employing security plugins that provide enhanced input sanitization and output encoding as an additional layer of defense.