CVE-2025-5923 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Game Review Block plugin for WordPress, developed by marcdk. This vulnerability arises from improper neutralization of input during web page generation, specifically related to the 'className' parameter. Versions up to and including 4.8.1 are affected, effectively all released versions. The root cause is insufficient input sanitization and output escaping, which allows an authenticated attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially affecting all visitors. The vulnerability does not require user interaction beyond visiting the infected page and does not require administrative privileges, only Contributor-level access, which is a relatively low privilege level in WordPress. The CVSS 3.1 base score is 6.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, privileges required, no user interaction, scope changed, low confidentiality and integrity impact, and no availability impact. No known exploits have been reported in the wild yet. The vulnerability is categorized under CWE-79, highlighting improper input neutralization leading to XSS. The absence of a patch link suggests that a fix may not yet be publicly available or is pending release. This vulnerability can be leveraged to steal session cookies, perform actions on behalf of users, or conduct phishing attacks within the context of the affected WordPress site.

For European organizations using WordPress sites with the marcdk Game Review Block plugin, this vulnerability poses a significant risk to website integrity and user trust. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or unauthorized actions performed with the victim's privileges. This can compromise the confidentiality and integrity of user data and site content. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be severe. Organizations in sectors such as e-commerce, media, gaming, and online communities are particularly at risk, as they often rely on WordPress and user-generated content plugins. The vulnerability's exploitation could facilitate further attacks such as lateral movement within the site, privilege escalation, or distribution of malware. Given the scope of WordPress usage in Europe and the relatively low privilege required to exploit this flaw, the threat is material and warrants prompt attention.

1. Immediate mitigation should include restricting Contributor-level access to trusted users only, minimizing the risk of malicious input. 2. Implement manual input validation and sanitization on the 'className' parameter at the application level if patching is not yet available. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'className' parameter or typical XSS patterns. 4. Monitor logs for unusual Contributor activity or unexpected script injections in pages using the Game Review Block plugin. 5. Disable or remove the Game Review Block plugin temporarily if the risk is unacceptable and no patch is available. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Once a patch is released, prioritize testing and deployment across all affected WordPress instances. 8. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 9. Regularly audit and update all WordPress plugins to minimize exposure to known vulnerabilities.