CVE-2025-63000 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'Sermon Manager' developed by WP for church. This plugin is used to manage and display sermons on WordPress websites, commonly by religious organizations. The vulnerability results from improper neutralization of user-supplied input during web page generation, allowing an attacker with low privileges (PR:L) to inject malicious scripts that are stored persistently. When other users or administrators view the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The CVSS v3.1 base score is 6.5, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R), and impacting confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L). No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. This vulnerability is particularly relevant for WordPress sites running Sermon Manager up to version 2.30.0, which are often used by churches and religious communities to publish sermons online.

For European organizations, especially religious institutions and community websites using the Sermon Manager plugin, this vulnerability poses a risk of malicious script injection that can compromise user sessions, steal sensitive information, or deface websites. The impact includes potential loss of confidentiality due to session hijacking, integrity violations through unauthorized content modification, and availability disruptions if malicious scripts cause denial of service or redirect users to harmful sites. Given the medium severity and requirement for low privileges and user interaction, attackers could exploit this vulnerability to target site administrators or regular users, potentially leading to broader compromise of the website and its users. This could damage organizational reputation, erode user trust, and lead to compliance issues under European data protection regulations such as GDPR if personal data is exposed or mishandled.

European organizations should immediately review user roles and permissions within their WordPress installations to minimize the number of users with privileges that allow content submission or editing. Implement strict input validation and sanitization on all user-generated content fields, especially those handled by the Sermon Manager plugin. Employ Web Application Firewalls (WAFs) with rules targeting XSS attack patterns to detect and block malicious payloads. Monitor website logs and user activity for unusual behavior indicative of exploitation attempts. Educate site administrators and users about the risks of clicking on suspicious links or interacting with untrusted content. Prepare to apply patches or updates from the vendor as soon as they become available. Additionally, consider isolating the plugin's functionality or disabling it temporarily if feasible until a fix is released. Conduct regular security audits and penetration testing focused on plugin vulnerabilities to identify and remediate similar issues proactively.