CVE-2025-7652 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Easy Plugin Stats plugin for WordPress, affecting all versions up to and including 2.0.1. The vulnerability arises from improper neutralization of user-supplied input within the plugin's 'eps' shortcode attributes, where insufficient sanitization and output escaping allow an authenticated attacker with contributor-level or higher privileges to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires authentication but no user interaction beyond page access. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impact but no availability impact. No patches or exploits are currently publicly available, but the vulnerability is published and recognized by the CVE database. The plugin is widely used in WordPress environments, which are prevalent across many European organizations, especially those managing content-heavy websites. The CWE-79 classification highlights the core issue as improper input validation and output encoding during web page generation, a common vector for XSS attacks.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of web applications and their users. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, unauthorized actions, or data leakage. This can undermine user trust, lead to credential theft, and facilitate further attacks such as privilege escalation or lateral movement within the network. Organizations relying on WordPress for public-facing or internal sites that use the Easy Plugin Stats plugin are particularly vulnerable. The impact is heightened in sectors with sensitive data or regulatory requirements, such as finance, healthcare, and government. While availability is not directly affected, reputational damage and compliance violations could result from exploitation. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with multiple contributors or less stringent access controls.

Immediate mitigation should focus on restricting contributor-level access to trusted users only and auditing existing content for injected scripts. Organizations should monitor their WordPress sites for unusual shortcode usage or unexpected script tags. Since no patch is currently available, applying Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'eps' shortcode parameters can reduce risk. Implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Administrators should enforce the principle of least privilege, limiting contributor roles and reviewing user permissions regularly. Once a patch is released, prompt updating of the Easy Plugin Stats plugin is essential. Additionally, developers and site administrators should validate and sanitize all user inputs rigorously and apply output encoding consistently to prevent similar vulnerabilities. Regular security assessments and plugin inventory reviews will help identify and remediate such risks proactively.