The Taeggie Feed plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-6382. This vulnerability is due to improper neutralization of user input (CWE-79) in the plugin’s render() method, which directly injects the user-supplied 'name' attribute into a <script> tag without proper escaping or sanitization. Specifically, the input is embedded both in the id attribute of the script tag and inside a jQuery.getScript() call, creating an injection vector for arbitrary JavaScript code. Because the vulnerability is stored, the malicious script persists in the content and executes every time the affected page is loaded by any user. Exploitation requires an authenticated user with contributor-level privileges or higher, which is common in many WordPress environments where multiple users contribute content. The vulnerability does not require any user interaction beyond visiting the infected page, and it affects all versions of the Taeggie Feed plugin up to and including 0.1.10. The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed due to the potential impact on other users viewing the injected content. No patches or fixes have been linked yet, and no known exploits are reported in the wild as of the publication date.

This vulnerability allows an authenticated contributor or higher to inject persistent malicious JavaScript into pages rendered by the Taeggie Feed plugin. The impact includes potential theft of user session cookies, enabling account takeover, unauthorized actions on behalf of users, defacement of website content, and distribution of malware. Since the injected script executes in the context of any user visiting the compromised page, it can affect administrators and visitors alike, potentially leading to widespread compromise. The vulnerability undermines the integrity and confidentiality of the website and its users. Although availability is not directly impacted, the reputational damage and potential for further exploitation can indirectly affect service reliability. Organizations relying on this plugin, especially those with multiple contributors or public-facing content, face increased risk of targeted attacks or automated exploitation once the vulnerability becomes widely known or weaponized.

Immediate mitigation involves restricting contributor-level access to trusted users only until a patch is available. Administrators should audit existing content for suspicious scripts injected via the taeggie-feed shortcode. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the plugin’s shortcode parameters can reduce risk. Developers or site administrators can apply manual input sanitization or escaping in the plugin’s render() method to neutralize script injection vectors, such as encoding special characters in the 'name' attribute before output. Monitoring logs for unusual contributor activity and scanning for injected scripts on pages using the plugin is recommended. Once a vendor patch or update is released, promptly apply it. Additionally, educating contributors about safe input practices and limiting plugin usage to trusted environments can help reduce exposure.