CVE-2025-5845 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Affiliate Reviews plugin for WordPress developed by wpchop. This vulnerability exists in all versions up to and including 1.0.6. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'numColumns' parameter. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages generated by the plugin. These scripts are then stored and executed in the context of any user who visits the affected page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the Contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which relates to improper input validation leading to XSS attacks.

For European organizations using WordPress sites with the Affiliate Reviews plugin, this vulnerability poses a significant risk to web application security. Exploitation could lead to unauthorized script execution in the browsers of site visitors or administrators, potentially compromising user credentials, session tokens, or enabling further attacks such as phishing or malware distribution. Given that Contributor-level access is required, insider threats or compromised accounts could be leveraged to exploit this vulnerability. The impact on confidentiality and integrity is moderate due to the ability to steal sensitive information or manipulate content. Availability is not directly affected. Organizations in Europe that rely on WordPress for e-commerce, customer engagement, or content management could face reputational damage, regulatory scrutiny under GDPR if personal data is compromised, and operational disruptions. The medium severity score reflects the balance between required privileges and potential damage, but the scope change indicates that the impact could extend beyond the plugin itself, affecting the broader WordPress environment.

European organizations should take immediate steps to mitigate this vulnerability. First, they should audit their WordPress installations to identify the presence of the Affiliate Reviews plugin and verify the version in use. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to eliminate the attack surface. If disabling is not feasible, strict role management should be enforced to limit Contributor-level access only to trusted users, reducing the risk of exploitation. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'numColumns' parameter can provide additional protection. Regular monitoring of logs for unusual input patterns or script injections is recommended. Organizations should also educate users with elevated privileges about the risks of inputting untrusted data. Once a patch becomes available, prompt application of the update is critical. Additionally, employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts.