The ProcessingJS for WordPress plugin, developed by cageehv, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-6039. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically within the 'pjs4wp' shortcode functionality. Versions up to and including 1.2.2 fail to adequately sanitize and escape user-supplied attributes, enabling authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into WordPress pages. Because the malicious payload is stored, it executes in the context of any user who visits the compromised page, potentially exposing sensitive information such as cookies or session tokens, or enabling actions on behalf of the victim user. The vulnerability has a CVSS 3.1 score of 6.4, reflecting a network attack vector, low attack complexity, and the requirement for privileges (authenticated contributor or above), but no user interaction is needed for exploitation. The scope is considered changed (S:C) because the vulnerability affects other users beyond the attacker. No patches or official fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The vulnerability highlights the risks of insufficient input validation and output encoding in WordPress plugins, especially those that allow user-generated content or shortcode attributes.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the ProcessingJS plugin installed. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, privilege escalation, defacement, or distribution of malware. The compromise of administrator sessions could result in full site takeover, data theft, or persistent backdoors. Since the vulnerability is stored XSS, the impact extends beyond the initial attacker to all users who view the infected content. This can damage organizational reputation, lead to data breaches, and cause operational disruptions. The medium CVSS score reflects that while exploitation requires authenticated access, the low complexity and network vector make it a realistic threat in environments where contributor accounts are common or compromised. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially as details become public.

Organizations should immediately audit their WordPress installations for the ProcessingJS plugin and verify the version in use. If possible, update to a patched version once available from the vendor. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack surface. Restrict contributor-level permissions carefully, ensuring only trusted users have such access. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs or script injections targeting the 'pjs4wp' shortcode. Conduct thorough content reviews to identify and remove any injected malicious scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs and user activity for signs of exploitation attempts. Educate content contributors about safe input practices and the risks of injecting untrusted content. Finally, maintain up-to-date backups to enable recovery in case of compromise.