CVE-2025-64291 is a stored Cross-site Scripting (XSS) vulnerability identified in the Premmerce User Roles plugin for WordPress, affecting all versions up to and including 1.0.13. The vulnerability stems from improper neutralization of input during web page generation, allowing malicious scripts to be stored persistently within the application. Specifically, authenticated users with high privileges can inject crafted input that is not properly sanitized or escaped before being rendered in the web interface, leading to execution of arbitrary JavaScript code in the context of other users’ browsers. This can result in session hijacking, unauthorized actions, or data theft. The vulnerability requires authentication with elevated privileges but does not require further user interaction to exploit once the malicious payload is stored. The CVSS v3.1 base score is 5.9, reflecting medium severity, with attack vector being adjacent network (AV:A), low attack complexity (AC:L), requiring privileges (PR:H), no user interaction (UI:N), and scope changed (S:C). The impact affects confidentiality, integrity, and availability at a low level. There are no known public exploits or patches currently available, but the vulnerability is published and should be addressed promptly. Premmerce User Roles is a plugin commonly used in WordPress environments to manage user permissions, often in e-commerce or membership sites, making this vulnerability relevant for organizations relying on WordPress for critical business functions.

For European organizations, this vulnerability poses a risk primarily to WordPress-based websites using the Premmerce User Roles plugin. Exploitation could allow attackers with authenticated high-privilege accounts to execute malicious scripts, potentially leading to session hijacking, unauthorized privilege escalation, or data leakage. This can compromise sensitive customer data, disrupt business operations, and damage organizational reputation. Given the widespread use of WordPress in Europe, especially in e-commerce and membership platforms, the vulnerability could affect a broad range of sectors including retail, finance, and public services. The requirement for high privileges limits the attack surface but insider threats or compromised accounts increase risk. The stored nature of the XSS means the malicious payload persists, increasing exposure time and potential impact. The medium severity indicates a moderate but non-negligible threat that should be addressed to maintain compliance with data protection regulations such as GDPR, which mandate safeguarding personal data against unauthorized access or disclosure.

1. Monitor for and apply security updates or patches from Premmerce as soon as they become available to remediate the vulnerability. 2. Restrict the number of users with high privileges in WordPress to the minimum necessary, and enforce strong authentication mechanisms including multi-factor authentication (MFA) to reduce the risk of account compromise. 3. Implement Web Application Firewalls (WAF) with rules to detect and block XSS payloads, especially for administrative interfaces. 4. Conduct regular security audits and code reviews of custom plugins or themes to identify and remediate input validation issues. 5. Educate administrators and privileged users about phishing and social engineering risks to prevent credential theft. 6. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 7. Regularly review logs for suspicious activity indicative of attempted or successful exploitation. 8. Consider isolating critical WordPress administrative interfaces behind VPNs or IP allowlists to reduce exposure. These measures collectively reduce the likelihood and impact of exploitation beyond generic advice.