CVE-2025-6538 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the 'Post Rating and Review' WordPress plugin developed by bourgesloic. This vulnerability exists in all versions up to and including 1.3.4 due to improper neutralization of input during web page generation, specifically via the 'class' parameter. The root cause is insufficient input sanitization and output escaping, which allows an authenticated attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these injected pages, the malicious scripts execute in their browsers within the context of the vulnerable site. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity and requiring privileges (Contributor or above). No user interaction is needed for the exploit to succeed once the malicious script is injected, and the scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity, allowing attackers to potentially steal session cookies, perform actions on behalf of other users, or deface content. Availability is not impacted. No known exploits are currently reported in the wild, and no official patches have been published at the time of analysis. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input leading to XSS attacks.

For European organizations using WordPress sites with the 'Post Rating and Review' plugin, this vulnerability poses a significant risk to user trust and data confidentiality. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, unauthorized actions, or distribution of malware. This can result in reputational damage, data breaches involving personal data protected under GDPR, and possible regulatory penalties. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts are primary risk vectors. The scope change means that the impact could extend beyond the plugin itself, potentially affecting other parts of the website or integrated systems. Given the widespread use of WordPress across European businesses, especially in small and medium enterprises and public sector websites, exploitation could disrupt online services and erode user confidence. However, the lack of known active exploits reduces immediate risk, though the medium severity score warrants timely remediation.

1. Immediate mitigation should involve restricting Contributor-level permissions to trusted users only and monitoring for unusual activity or content changes within the plugin's functionality. 2. Implement Web Application Firewall (WAF) rules specifically targeting suspicious payloads in the 'class' parameter or other input fields related to the plugin. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 4. Regularly audit and sanitize all user-generated content, especially from contributors, before publishing. 5. Until an official patch is released, consider disabling or removing the 'Post Rating and Review' plugin if feasible, or replacing it with alternative plugins that have been verified as secure. 6. Educate site administrators and contributors about the risks of XSS and the importance of secure coding and input validation practices. 7. Monitor security advisories from the plugin vendor and WordPress community for updates or patches addressing this vulnerability.