CVE-2025-5753 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Valuation Calculator plugin for WordPress developed by reallaunch. The vulnerability exists in all versions up to and including 1.3.2 due to improper neutralization of input during web page generation, specifically via the 'link' parameter. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored and executed whenever any user accesses the affected page, this can lead to persistent XSS attacks. The vulnerability arises from insufficient input sanitization and lack of proper output escaping, which allows malicious scripts to be embedded in the plugin’s output. The CVSS v3.1 base score is 6.4, reflecting a network attack vector with low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact includes partial confidentiality and integrity loss but no availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was publicly disclosed on July 23, 2025, with the CVE reserved on June 5, 2025. Stored XSS vulnerabilities like this can be leveraged for session hijacking, privilege escalation, defacement, or delivering further malware payloads within WordPress sites using the vulnerable plugin.

For European organizations, this vulnerability poses a significant risk especially to those relying on WordPress websites with the reallaunch Valuation Calculator plugin installed. Attackers with Contributor-level access—often achievable through compromised accounts or insider threats—can inject persistent malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of sensitive data such as authentication cookies, unauthorized actions performed on behalf of users, or redirection to malicious sites. Given the widespread use of WordPress in Europe for business, e-commerce, and governmental websites, exploitation could undermine trust, lead to data breaches under GDPR regulations, and cause reputational damage. The scope of impact is heightened for organizations with multiple contributors or less stringent access controls. Although no availability impact is noted, the confidentiality and integrity breaches could result in regulatory fines and loss of customer confidence. The lack of known exploits currently provides a window for proactive mitigation, but the vulnerability’s presence in a popular CMS plugin makes it a likely target for future attacks.

European organizations should immediately audit their WordPress installations to identify the presence of the reallaunch Valuation Calculator plugin and verify its version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. Implement strict access controls to limit Contributor-level privileges only to trusted users and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of account compromise. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'link' parameter. Conduct thorough input validation and output encoding on any custom integrations or overrides related to the plugin. Monitor logs for unusual activities or script injections. Educate content contributors about the risks of injecting untrusted content. Once a patch becomes available, prioritize prompt application and test updates in staging environments before production deployment. Additionally, consider implementing Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks by restricting script execution sources.