CVE-2025-7651 identifies a stored cross-site scripting (XSS) vulnerability in the Earnware Connect plugin for WordPress, specifically in the 'ew_hasrole' shortcode functionality. This vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The plugin fails to adequately sanitize and escape user-supplied attributes, enabling authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.0.73. The CVSS 3.1 base score of 6.4 reflects a medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (PR:L), no user interaction, and scope change (S:C). The vulnerability impacts confidentiality and integrity but not availability. No public exploits have been reported yet, but the presence of this flaw in a widely used CMS plugin poses a significant risk if weaponized. The lack of official patches at the time of reporting necessitates immediate mitigation steps by administrators.

The stored XSS vulnerability allows attackers with contributor-level access to inject malicious scripts that execute in the browsers of users visiting the affected pages. This can lead to session hijacking, theft of sensitive information such as authentication tokens, unauthorized actions performed on behalf of users, and potential privilege escalation if combined with other vulnerabilities. For organizations, this can result in compromised user accounts, defacement of websites, loss of customer trust, and potential regulatory repercussions if user data is exposed. Since the vulnerability requires authenticated access, the initial barrier is moderate; however, many WordPress sites allow contributor roles for content creators, making exploitation feasible. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire site. Although availability is not directly affected, the integrity and confidentiality risks are significant enough to warrant urgent attention. The absence of known exploits in the wild currently limits immediate widespread impact but does not preclude future exploitation.

Organizations should immediately audit their WordPress installations to identify the presence of the Earnware Connect plugin and verify its version. Since no official patches are available at the time of this report, administrators should consider temporarily disabling the plugin or restricting contributor-level access until a fix is released. Implement strict input validation and output encoding for all user-supplied data, especially in shortcode attributes, to prevent script injection. Employ Web Application Firewalls (WAFs) with rules targeting common XSS payloads to provide an additional layer of defense. Monitor logs for unusual activity or attempts to inject scripts via the 'ew_hasrole' shortcode. Educate content contributors about the risks of injecting untrusted content and enforce the principle of least privilege by limiting contributor roles to trusted users only. Once a patch is released, prioritize its deployment and conduct thorough testing to ensure the vulnerability is fully remediated. Additionally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts.