CVE-2025-7649 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Surbma | Recent Comments Shortcode plugin for WordPress, present in all versions up to and including 2.0. This vulnerability arises from improper input sanitization and insufficient output escaping of user-supplied attributes in the plugin's 'recent-comments' shortcode functionality. Specifically, authenticated users with contributor-level permissions or higher can inject malicious JavaScript code into pages using this shortcode. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4 (medium severity), reflecting its network attack vector, low attack complexity, requirement for privileges (contributor or above), no user interaction needed, and a scope change with limited confidentiality and integrity impact but no availability impact. No known exploits are currently reported in the wild, and no official patches have been released yet. The vulnerability is categorized under CWE-79, which is a common and well-understood web application security weakness related to improper neutralization of input during web page generation.

For European organizations using WordPress websites with the Surbma | Recent Comments Shortcode plugin, this vulnerability poses a significant risk. Since contributor-level access is sufficient to exploit the flaw, insider threats or compromised contributor accounts can lead to persistent XSS attacks. The impact includes potential theft of session cookies, enabling attackers to impersonate users with higher privileges, defacement of websites, injection of malicious content or phishing scripts, and unauthorized actions performed on behalf of users. This can damage organizational reputation, lead to data breaches, and violate data protection regulations such as GDPR if personal data is exposed or manipulated. The scope of impact is heightened for organizations relying on WordPress for customer-facing portals, intranet sites, or content management, especially where multiple users have contributor or higher roles. The absence of a patch increases the urgency for mitigation. However, the lack of known active exploitation reduces immediate risk but does not eliminate the threat of future attacks.

European organizations should take immediate steps to mitigate this vulnerability beyond generic advice. First, audit all WordPress sites to identify installations of the Surbma | Recent Comments Shortcode plugin and verify the version in use. If the plugin is present, restrict contributor-level access strictly to trusted users and review user roles to minimize unnecessary privileges. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the shortcode parameters. Employ Content Security Policy (CSP) headers to restrict script execution sources, limiting the impact of injected scripts. Monitor logs for unusual activity related to shortcode usage or contributor actions. Until an official patch is released, consider disabling or removing the plugin entirely if feasible. Additionally, educate content contributors about safe input practices and the risks of injecting untrusted content. Regularly check for updates from the vendor and apply patches promptly once available. Finally, conduct penetration testing focused on XSS vectors to verify the effectiveness of mitigations.