CVE-2025-6540 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the 'web-cam' WordPress plugin developed by murtuzamakda52. This vulnerability exists in all versions up to and including version 1.0 due to improper neutralization of input during web page generation, specifically via the 'slug' parameter. The root cause is insufficient input sanitization and lack of proper output escaping, allowing an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability requires no user interaction beyond visiting the infected page, and the scope is limited to users who can access the affected pages. The CVSS 3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or higher), no user interaction, and a scope change indicating that the vulnerability affects resources beyond the attacker’s privileges. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was publicly disclosed on June 26, 2025.

For European organizations using WordPress sites with the vulnerable 'web-cam' plugin, this vulnerability poses a moderate risk. Since exploitation requires Contributor-level access, attackers must first compromise or register accounts with elevated privileges, which may be feasible in environments with weak access controls or insufficient user vetting. Successful exploitation can lead to the injection of malicious scripts that execute in the browsers of site visitors or administrators, potentially enabling theft of authentication tokens, defacement, or further compromise of the web application. This can damage organizational reputation, lead to data leakage, and facilitate lateral movement within the network. Given the widespread use of WordPress in Europe across sectors such as government, education, and SMEs, the vulnerability could affect a broad range of organizations. The scope change in the CVSS vector indicates that the impact extends beyond the attacker's privileges, increasing the risk of privilege escalation or unauthorized data access. However, the absence of known exploits and the requirement for authenticated access somewhat limit immediate risk. Nonetheless, organizations with public-facing WordPress sites and multiple contributors should consider this a significant threat to web application security.

1. Immediately audit user roles and permissions on WordPress sites to ensure that only trusted users have Contributor-level or higher access. Remove or restrict unnecessary contributor accounts. 2. Implement strict input validation and output encoding on all user-supplied data, especially the 'slug' parameter in the 'web-cam' plugin, to prevent script injection. 3. Monitor and restrict plugin usage: consider disabling or removing the 'web-cam' plugin if it is not essential. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'slug' parameter. 5. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Regularly update WordPress core, plugins, and themes; monitor vendor announcements for patches addressing this vulnerability and apply them promptly once available. 7. Conduct security awareness training for contributors to recognize phishing or social engineering attempts that could lead to account compromise. 8. Implement multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of account takeover. 9. Review logs for unusual activity related to plugin usage or page modifications that could indicate exploitation attempts.