CVE-2025-5800 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the Testimonial Post type plugin for WordPress, developed by juiiee8487. This vulnerability arises from improper neutralization of input during web page generation, specifically related to the 'auto_play' parameter. The flaw exists in all versions up to and including 1.2.1 of the plugin. Because the plugin fails to sufficiently sanitize and escape user-supplied input, authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into testimonial posts. These malicious scripts are stored persistently and execute in the browsers of any users who view the compromised pages. The vulnerability does not require user interaction beyond visiting the affected page, and it can impact the confidentiality and integrity of user data by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of users. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, and privileges required (Contributor or above), but no user interaction needed. The scope is changed as the vulnerability affects the WordPress site and potentially other integrated systems. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in June 2025 and published in July 2025. This vulnerability is classified under CWE-79, which covers improper input neutralization leading to XSS.

For European organizations using WordPress sites with the vulnerable Testimonial Post type plugin, this vulnerability poses a significant risk. Attackers with Contributor-level access—often achievable through compromised accounts or insider threats—can inject malicious scripts that execute in the browsers of site visitors, including administrators and customers. This can lead to session hijacking, theft of sensitive information such as authentication tokens or personal data, unauthorized actions performed with elevated privileges, and potential spread of malware. For organizations handling personal data under GDPR, such breaches could result in regulatory penalties and reputational damage. Additionally, compromised websites may be used as vectors for phishing or further attacks against users. The persistent nature of stored XSS increases the risk as the malicious payload remains active until the injection is removed. The lack of a patch means organizations must rely on mitigation until an update is available. Given the widespread use of WordPress in Europe for corporate, governmental, and SME websites, the impact could be broad, especially for sectors relying on user-generated content and testimonials.

1. Immediately restrict Contributor-level and higher access to trusted users only, and audit existing accounts for suspicious activity. 2. Implement Web Application Firewall (WAF) rules that detect and block malicious script patterns in the 'auto_play' parameter or testimonial post submissions. 3. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 4. Manually sanitize and validate all inputs related to testimonial posts, especially the 'auto_play' parameter, using server-side filtering if plugin updates are unavailable. 5. Monitor logs for unusual activity or injection attempts targeting testimonial posts. 6. Educate site administrators and content contributors about the risks of XSS and safe content submission practices. 7. Once available, promptly apply official patches or updates from the plugin vendor. 8. Consider temporarily disabling or replacing the vulnerable plugin with a secure alternative until a fix is released. 9. Conduct penetration testing focused on XSS vectors in testimonial content to identify residual risks.