CVE-2025-6039 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the ProcessingJS for WordPress plugin developed by cageehv. This vulnerability exists in all versions up to and including 1.2.2 of the plugin. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'pjs4wp' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into WordPress pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The vector details show that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), requires privileges (PR:L) but no user interaction (UI:N), and impacts confidentiality and integrity with a scope change (S:C). No known exploits are currently reported in the wild, and no official patches have been released yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS issues. Given that WordPress is a widely used content management system and ProcessingJS for WordPress is a plugin that enables embedding ProcessingJS sketches, this vulnerability could affect many websites that use this plugin, especially those allowing contributor-level users to add or edit content.

For European organizations, this vulnerability poses a significant risk especially to those relying on WordPress sites with the ProcessingJS plugin installed. The ability for authenticated contributors to inject malicious scripts can lead to unauthorized data disclosure, session hijacking, and potential lateral movement within the web application. Confidential information such as user credentials, personal data protected under GDPR, or internal business data could be exposed or manipulated. The integrity of website content can be compromised, damaging organizational reputation and trust. Since the scope is changed, the impact can extend beyond the initially compromised user to other users visiting the infected pages. This is particularly concerning for organizations in sectors like finance, healthcare, government, and e-commerce, where website trustworthiness and data confidentiality are paramount. Additionally, the lack of user interaction required for exploitation means that the attack can silently affect visitors, increasing the risk of widespread impact. The medium CVSS score reflects a moderate but non-negligible threat that should be addressed promptly to prevent escalation or exploitation in targeted attacks.

European organizations should immediately audit their WordPress installations to identify the presence of the ProcessingJS for WordPress plugin, especially versions up to 1.2.2. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to eliminate the attack vector. Restrict contributor-level permissions to only trusted users and review user roles to minimize the number of users who can add or edit content using shortcodes. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode usage or script injection attempts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. Regularly monitor website content for unauthorized changes or injected scripts using automated scanning tools. Educate content contributors about the risks of injecting untrusted code and enforce strict content validation policies. Once a patch is available, prioritize its deployment and verify the plugin version to ensure the vulnerability is remediated. Additionally, conduct penetration testing focused on XSS vulnerabilities to identify any residual or related issues.