CVE-2025-6719 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Terms descriptions plugin for WordPress developed by vladimirs. This vulnerability affects all plugin versions up to and including 3.4.8. The root cause is insufficient sanitization of input and lack of proper output escaping in the plugin’s admin settings, which allows an attacker with administrator-level permissions to inject arbitrary JavaScript code into the plugin’s stored data. This malicious script is then executed in the context of any user who views the affected page, leading to potential session hijacking, privilege escalation, or other malicious actions. The vulnerability specifically impacts multi-site WordPress installations or single-site installations where the unfiltered_html capability is disabled, limiting the attack surface to these configurations. The CVSS v3.1 base score is 4.4, reflecting a medium severity due to the requirement for authenticated high-privilege access and a high attack complexity, but with a scope change (S:C) indicating that the vulnerability can affect resources beyond the initially vulnerable component. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin without proper mitigation or updates.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks that can compromise the confidentiality and integrity of user data on affected WordPress sites. An attacker with administrator privileges can inject malicious scripts that execute in the browsers of users who visit the infected pages, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of users. Although availability is not directly impacted, the trustworthiness and security posture of the affected websites can be severely undermined. For organizations running multi-site WordPress installations or those with unfiltered_html disabled, this vulnerability could facilitate lateral movement or privilege escalation within the site’s user base. Given WordPress’s widespread use globally, especially in small to medium enterprises and content-heavy websites, the vulnerability could have broad implications if exploited, including data breaches and reputational damage.

To mitigate this vulnerability, organizations should first update the Terms descriptions plugin to a version beyond 3.4.8 once a patch is released by the vendor. Until an official patch is available, administrators should restrict plugin usage to trusted users only and audit admin-level accounts to minimize risk. Enabling strict Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting script execution sources. Additionally, review and harden WordPress security settings, including limiting the use of multi-site installations if not required, and carefully managing the unfiltered_html capability. Employing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting this plugin can provide an additional layer of defense. Regular security audits and monitoring for unusual admin activity or injected scripts in plugin settings are recommended to detect exploitation attempts early.