CVE-2025-5753 identifies a stored cross-site scripting (XSS) vulnerability in the reallaunch Valuation Calculator plugin for WordPress, present in all versions up to and including 1.3.2. The vulnerability stems from improper neutralization of input during web page generation, specifically through the 'link' parameter. Authenticated users with Contributor-level permissions or higher can exploit this by injecting arbitrary JavaScript code that is stored persistently and executed in the context of any user who accesses the infected page. This occurs because the plugin fails to adequately sanitize input or escape output, violating secure coding practices against CWE-79. The vulnerability allows attackers to compromise confidentiality and integrity by stealing session tokens, performing actions on behalf of other users, or injecting malicious payloads. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and a scope change due to potential impact on other users. No patches or exploit code are currently publicly available, but the risk remains significant for sites with multiple contributors. The vulnerability is particularly relevant for WordPress sites relying on this plugin for valuation calculations, often used in real estate or financial sectors.

The impact of CVE-2025-5753 is primarily on the confidentiality and integrity of affected WordPress sites. An attacker with Contributor-level access can inject persistent malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. This can erode user trust, cause data breaches, and facilitate further attacks such as privilege escalation or lateral movement within the site. Since the vulnerability requires authenticated access, the risk is higher in environments with multiple contributors or less stringent access controls. The scope of impact extends to all users who view the compromised pages, including administrators and visitors, increasing the potential damage. Although availability is not directly affected, the reputational and operational consequences can be severe, especially for organizations relying on the plugin for critical business functions. The absence of known exploits in the wild suggests limited immediate threat but does not preclude future exploitation.

To mitigate CVE-2025-5753, organizations should first update the reallaunch Valuation Calculator plugin to a patched version once available. Until a patch is released, restrict Contributor-level access to trusted users only and review user roles to minimize unnecessary privileges. Implement web application firewall (WAF) rules to detect and block suspicious payloads targeting the 'link' parameter. Employ input validation and output encoding at the application level to neutralize malicious scripts. Conduct regular security audits and monitor logs for unusual activity indicative of XSS attempts. Educate content contributors about safe input practices and the risks of injecting untrusted content. Additionally, consider disabling or replacing the plugin if it is not essential. Finally, maintain regular backups and have an incident response plan ready to address potential compromises stemming from this vulnerability.