CVE-2025-6538 is a stored cross-site scripting (XSS) vulnerability identified in the bourgesloic Post Rating and Review plugin for WordPress, affecting all versions up to and including 1.3.4. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of the 'class' parameter. The plugin fails to adequately sanitize and escape this parameter, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes in the context of any user who views the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The attack vector is network-based, with low complexity and no user interaction required, but it does require authentication with at least Contributor privileges. The vulnerability impacts confidentiality and integrity but does not affect availability. Although no known exploits are currently in the wild, the widespread use of WordPress and this plugin increases the risk of exploitation once a public exploit becomes available. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks. The CVSS v3.1 base score is 6.4, reflecting a medium severity level. No official patches have been linked yet, so mitigation relies on access control, input validation, and monitoring.

The primary impact of CVE-2025-6538 is the compromise of user confidentiality and integrity on affected WordPress sites. An attacker with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. This can erode user trust, damage brand reputation, and lead to data breaches. Since the vulnerability requires authenticated access, the risk is somewhat limited to sites that allow Contributor-level users, but many WordPress sites permit such roles for content creation. The scope includes all sites running the vulnerable plugin versions, which could be substantial given WordPress's market share. The lack of known exploits reduces immediate risk, but the ease of exploitation and network accessibility make this a significant threat once weaponized. Organizations relying on this plugin for user reviews or ratings are particularly vulnerable to targeted attacks aiming to manipulate content or compromise user accounts.

1. Immediately restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious script injection. 2. Monitor and audit user-generated content, especially any input related to the 'class' parameter or other HTML attributes, for suspicious or unexpected scripts. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the plugin. 4. Apply strict Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of injected scripts. 5. If possible, disable or remove the Post Rating and Review plugin until an official patch is released. 6. Encourage plugin developers or maintainers to release a patch that properly sanitizes and escapes all user inputs, especially the 'class' parameter. 7. Educate site administrators and contributors about the risks of XSS and safe content submission practices. 8. Regularly update WordPress core and plugins to the latest versions to benefit from security fixes. 9. Use security plugins that scan for stored XSS and other vulnerabilities within user-generated content. 10. Backup site data regularly to enable quick recovery in case of compromise.