CVE-2025-6626 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin for WordPress, specifically versions up to and including 3.10.3. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where insufficient input sanitization and output escaping occur on the API URL Setting. This flaw allows authenticated attackers with administrator-level privileges to inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or other malicious activities. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, which restricts the scope somewhat. The CVSS v3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, high privileges required, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is particularly relevant for organizations using WordPress multisite environments with this plugin installed, as it could be leveraged by malicious insiders or compromised administrators to inject persistent malicious code affecting multiple users or sites within the network.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress multisite setups with the ShortPixel Adaptive Images plugin for image optimization. Exploitation could lead to unauthorized script execution, enabling attackers to steal sensitive session cookies, perform actions on behalf of users, or manipulate site content. This can result in data breaches, reputational damage, and loss of user trust. Since the vulnerability requires administrator-level access, the threat is more internal or targeted, but the consequences remain serious if an attacker gains such privileges. The multi-site context amplifies the risk by potentially affecting multiple sites or users simultaneously. Additionally, organizations subject to GDPR must consider the regulatory implications of any data compromise resulting from such an attack. The medium CVSS score indicates moderate risk, but the potential for scope change and persistent XSS makes it a concern for web-facing services and portals.

To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict administrator access to trusted personnel only, implementing strict access controls and monitoring for suspicious activity. 2) Disable or avoid using the ShortPixel Adaptive Images plugin on multi-site WordPress installations until a patch is available. 3) If the plugin is necessary, consider isolating it from critical sites or limiting its usage to single-site installations where the vulnerability does not apply. 4) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the API URL Setting. 5) Enable Content Security Policy (CSP) headers to reduce the impact of injected scripts. 6) Regularly audit and sanitize all inputs and outputs related to plugin settings, and monitor logs for unusual administrator actions. 7) Stay updated with vendor advisories and apply patches promptly once released. 8) Educate administrators about the risks of XSS and the importance of secure plugin management.