CVE-2025-7035 is a stored Cross-Site Scripting vulnerability identified in the Media Library Assistant plugin for WordPress, affecting all versions up to and including 3.26. The flaw is due to insufficient sanitization and escaping of user-supplied attributes in the mla_tag_cloud and mla_term_list shortcodes. Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages generated by these shortcodes. Because the malicious script is stored, it executes every time a user accesses the compromised page, potentially affecting any visitor, including administrators. The vulnerability leverages CWE-79, which involves improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, privileges required (contributor-level), no user interaction, and a scope change due to the script executing in the context of other users. The impact includes limited confidentiality and integrity loss, such as session hijacking or unauthorized actions performed on behalf of users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly to prevent potential exploitation.

The primary impact of CVE-2025-7035 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any user viewing those pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed with victim user privileges, and potential defacement or redirection attacks. Since contributor-level access is often granted to content creators or editors, the attack surface is relatively broad within organizations using this plugin. The vulnerability can compromise the integrity and confidentiality of user sessions and data but does not directly affect availability. Exploitation could facilitate further attacks such as privilege escalation or lateral movement within the WordPress environment. Organizations relying on Media Library Assistant for managing media content are at risk of reputational damage and data breaches if this vulnerability is exploited.

To mitigate CVE-2025-7035, organizations should immediately update the Media Library Assistant plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing user permissions to minimize risk. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the mla_tag_cloud and mla_term_list shortcodes can provide temporary protection. Additionally, applying manual input validation and output escaping in custom shortcode implementations or using security plugins that sanitize shortcode attributes can reduce exposure. Regularly monitoring logs for unusual shortcode usage or script injection attempts is recommended. Educating content contributors about safe input practices and the risks of injecting untrusted content can also help prevent exploitation. Finally, consider disabling or removing the vulnerable shortcodes if they are not essential to the site’s functionality until a fix is available.