CVE-2025-5559 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the neoxx TimeZoneCalculator plugin for WordPress. The flaw exists in the 'timezonecalculator_output' shortcode, which fails to properly sanitize and escape user-supplied attributes before rendering them on web pages. This deficiency allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability affects all plugin versions up to and including 3.37. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or exploit code are currently publicly available, but the vulnerability is publicly disclosed and should be considered exploitable. This vulnerability is particularly concerning for websites with multiple contributors and high user traffic, as it can be leveraged to escalate privileges or spread malware within the site environment.

The primary impact of CVE-2025-5559 is the compromise of confidentiality and integrity of user data on affected WordPress sites. Attackers can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of cookies or credentials, unauthorized actions performed with victim user privileges, and defacement or redirection attacks. Since the vulnerability requires contributor-level access, it could be exploited by malicious insiders or compromised contributor accounts to escalate attacks. The scope change means that the vulnerability can affect users beyond the initial attacker, increasing the risk of widespread compromise. Although availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences for organizations. Given WordPress's widespread use globally, this vulnerability could affect a large number of websites, especially those that rely on the TimeZoneCalculator plugin for functionality.

To mitigate CVE-2025-5559, organizations should immediately update the neoxx TimeZoneCalculator plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack surface. Restrict contributor-level access strictly to trusted users and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'timezonecalculator_output' shortcode parameters. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly scan the website for injected scripts or anomalous content. Additionally, educate contributors about safe input practices and monitor logs for unusual behavior. Applying principle of least privilege and multi-factor authentication for all users with elevated permissions can further reduce exploitation risk.