CVE-2025-7652 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Easy Plugin Stats plugin for WordPress, affecting all versions up to and including 2.0.1. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes in the plugin's 'eps' shortcode. Authenticated users with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages where the shortcode is used. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling actions on behalf of the victim user. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin makes it a notable risk. The plugin's widespread use in WordPress sites increases the attack surface, especially where contributor-level access is granted to multiple users. The vulnerability's exploitation does not affect availability but can lead to data leakage and unauthorized actions. The lack of a current patch requires administrators to monitor vendor updates closely or implement temporary mitigations such as restricting contributor privileges or sanitizing inputs at the application level.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web applications using the Easy Plugin Stats plugin. Exploitation could allow attackers to hijack user sessions, steal sensitive information, or perform unauthorized actions within the context of the affected WordPress site. This is particularly concerning for organizations with multiple contributors or editors who have authenticated access, as they could be leveraged as entry points. The impact is heightened in sectors relying heavily on WordPress for public-facing or internal portals, such as media, education, and small to medium enterprises. Although availability is not directly impacted, the reputational damage and potential data breaches could have regulatory consequences under GDPR. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities once disclosed. Organizations with high web traffic and user engagement are more vulnerable to the consequences of session hijacking or defacement resulting from this XSS flaw.

1. Monitor the Easy Plugin Stats plugin vendor announcements closely and apply official patches immediately upon release. 2. Until a patch is available, restrict contributor-level access to trusted users only, minimizing the risk of malicious shortcode injection. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the 'eps' shortcode parameters. 4. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected WordPress sites. 5. Conduct regular security audits of user-generated content and shortcode usage to identify and remove potentially malicious inputs. 6. Educate content contributors about safe input practices and the risks of injecting untrusted content. 7. Consider disabling or replacing the Easy Plugin Stats plugin with alternative solutions that follow secure coding practices if immediate patching is not feasible. 8. Employ security plugins that provide input sanitization and output escaping enhancements for WordPress shortcodes. 9. Review and tighten user role permissions to enforce the principle of least privilege, reducing the number of users who can exploit this vulnerability.