CVE-2025-5845 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Affiliate Reviews plugin for WordPress, developed by wpchop. This vulnerability affects all versions up to and including 1.0.6. The root cause is insufficient input sanitization and output escaping of the 'numColumns' parameter, which is used during web page generation. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the plugin's pages. Because the vulnerability is stored, the malicious script persists in the database and executes each time a user accesses the infected page, potentially impacting all visitors, including administrators. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with attack vector being network-based, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change due to affecting other components beyond the vulnerable plugin. The impact includes limited confidentiality and integrity loss, such as theft of cookies, session tokens, or execution of unauthorized actions on behalf of users. No known public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin makes it a notable risk. The lack of an official patch at the time of publication necessitates immediate mitigation steps. The vulnerability is cataloged under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks.

The vulnerability allows authenticated users with Contributor-level access or higher to inject persistent malicious scripts into WordPress sites using the Affiliate Reviews plugin. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed with victim user privileges, and potential privilege escalation if administrators are targeted. The stored nature of the XSS means that any user visiting the compromised page can be affected, increasing the attack surface. For organizations, this can result in data breaches, defacement, loss of user trust, and compliance violations. Since WordPress powers a significant portion of websites globally, and the Affiliate Reviews plugin is used by e-commerce and affiliate marketing sites, the impact can be widespread. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but contributor roles are commonly assigned, making the threat realistic. The vulnerability does not affect availability directly but compromises confidentiality and integrity, which can have severe downstream effects on business operations and reputation.

Organizations should immediately review user roles and restrict Contributor-level access to trusted users only, minimizing the risk of malicious input injection. Until an official patch is released, implement web application firewall (WAF) rules to detect and block suspicious payloads targeting the 'numColumns' parameter. Employ input validation and output encoding at the application level if possible, or use security plugins that provide XSS protection for WordPress. Regularly audit plugin usage and update to newer versions once the vendor releases a fix. Monitor logs and user activity for signs of exploitation or anomalous behavior. Educate content contributors about the risks of injecting untrusted content. Consider temporarily disabling or removing the Affiliate Reviews plugin if the risk is unacceptable and no patch is available. Finally, maintain backups and incident response plans to quickly recover from any successful attacks.