CVE-2025-5559 is a stored Cross-Site Scripting (XSS) vulnerability affecting the TimeZoneCalculator plugin for WordPress, developed by neoxx. This vulnerability exists in all versions up to and including 3.37 due to improper input sanitization and insufficient output escaping of user-supplied attributes in the 'timezonecalculator_output' shortcode. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages via this shortcode. When other users visit these compromised pages, the injected scripts execute in their browsers within the context of the vulnerable site. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects that the attack can be launched remotely over the network with low attack complexity, requires privileges equivalent to contributor access, does not require user interaction, and impacts confidentiality and integrity with a scope change. The vulnerability does not affect availability. No known exploits are currently reported in the wild, and no official patches have been released at the time of publication. The core technical issue is that the plugin fails to properly sanitize and escape input attributes in the shortcode, allowing malicious scripts to be stored persistently in the WordPress database and served to users, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of users. This vulnerability is particularly concerning in environments where multiple users have contributor or higher roles, as it enables insider threats or compromised accounts to propagate malicious scripts site-wide.

For European organizations using WordPress sites with the TimeZoneCalculator plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user data and site content. Attackers with contributor-level access can embed malicious scripts that execute in the browsers of site visitors, potentially leading to theft of authentication cookies, unauthorized actions, or defacement. This can result in reputational damage, data breaches, and loss of user trust. Organizations with collaborative content management workflows, such as media companies, educational institutions, and government agencies, are particularly vulnerable due to the common assignment of contributor roles. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other parts of the website or connected systems. While availability is not directly impacted, the indirect consequences of compromised integrity and confidentiality can disrupt business operations and compliance with data protection regulations such as GDPR. The absence of known exploits in the wild suggests that proactive mitigation can prevent exploitation, but the medium severity score underscores the need for timely remediation.

1. Immediate mitigation should include restricting contributor-level access to trusted users only, minimizing the risk of malicious shortcode injection. 2. Implement strict input validation and output escaping on all user-supplied shortcode attributes, ideally by updating the plugin code to use WordPress's built-in sanitization functions such as sanitize_text_field() and esc_attr() or esc_html() where appropriate. 3. Monitor and audit existing content for injected scripts by scanning posts and pages that utilize the 'timezonecalculator_output' shortcode, removing any suspicious or unauthorized scripts. 4. Employ a Web Application Firewall (WAF) with rules targeting stored XSS patterns to detect and block malicious payloads before they reach end users. 5. Encourage plugin developers to release an official patch promptly and apply it as soon as available. 6. Educate content contributors on secure content practices and the risks of injecting untrusted code. 7. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 8. Regularly review user roles and permissions to ensure the principle of least privilege is enforced. 9. Enable logging and alerting for unusual activities related to shortcode usage or content modifications to detect potential exploitation attempts early.