CVE-2025-60040 is a stored Cross-site Scripting (XSS) vulnerability identified in the WordPress plugin 'wp-mpdf' developed by fkrauthan. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before rendering it in web pages, allowing malicious actors to inject and persist executable scripts within the application context. This stored XSS can be triggered when a victim accesses a compromised page, leading to the execution of arbitrary JavaScript in their browser. The affected versions include all versions up to 3.9.1, with no specific lower bound version identified. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity, requires low privileges, and user interaction is necessary. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent. No patches or known exploits in the wild have been reported at the time of publication. The vulnerability is significant because wp-mpdf is a plugin used to generate PDF documents within WordPress sites, and exploitation could allow attackers to steal session cookies, perform actions on behalf of users, or deliver further payloads, potentially compromising site integrity and user trust.

For European organizations using WordPress sites with the wp-mpdf plugin, this vulnerability poses a risk of client-side compromise through stored XSS attacks. Attackers could exploit this to hijack user sessions, steal sensitive information, or manipulate site content, which may lead to reputational damage, data breaches, or unauthorized actions within the affected web applications. Given the widespread use of WordPress across Europe, especially among SMEs and public sector websites, the impact could be significant if exploited at scale. The medium severity score suggests that while the vulnerability is not trivial, exploitation requires some user interaction and low privileges, limiting mass exploitation but still posing a threat to targeted users or administrators. Additionally, the scope change indicates potential for broader impact beyond the plugin itself, possibly affecting other integrated components or user roles. Organizations handling personal data under GDPR must consider the risk of data leakage or unauthorized access resulting from such XSS attacks, which could lead to regulatory penalties and loss of customer trust.

1. Immediate mitigation should involve disabling or uninstalling the wp-mpdf plugin until a security patch is released. 2. Monitor official channels from the vendor fkrauthan and WordPress plugin repository for updates or patches addressing CVE-2025-60040. 3. Implement web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting wp-mpdf endpoints. 4. Conduct thorough input validation and output encoding on all user-supplied data within the WordPress environment, especially for plugins handling document generation. 5. Educate site administrators and users to recognize suspicious links or inputs that could trigger XSS attacks. 6. Regularly audit WordPress plugins and themes for vulnerabilities and maintain an up-to-date inventory to prioritize patching. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of XSS. 8. Review user privilege assignments to minimize the number of users with low privileges who can input data that might be rendered unsafely. 9. After patching, perform penetration testing focused on XSS to verify the vulnerability has been remediated.