CVE-2025-7652 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Easy Plugin Stats plugin for WordPress, affecting all versions up to and including 2.0.1. The vulnerability stems from improper neutralization of input during web page generation, specifically within the plugin's 'eps' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk due to the widespread use of WordPress and the Easy Plugin Stats plugin. The flaw allows attackers to leverage their limited access to escalate their impact by targeting other users, including administrators, through malicious script execution. The vulnerability was publicly disclosed on October 11, 2025, and no official patches have been linked yet, emphasizing the need for immediate mitigation actions by affected organizations.

The primary impact of CVE-2025-7652 is the potential execution of arbitrary scripts in the browsers of users who visit pages containing the malicious shortcode injection. This can lead to theft of session cookies, enabling attackers to impersonate users with higher privileges, including administrators. Consequently, attackers could perform unauthorized actions such as modifying site content, changing configurations, or installing backdoors. The vulnerability compromises confidentiality by exposing sensitive user data and integrity by allowing unauthorized content manipulation. Availability is not directly affected. Since exploitation requires authenticated contributor-level access, the attack surface is limited to environments where such user roles exist, but the scope includes all users who view the infected pages, potentially amplifying the impact. Organizations relying on this plugin risk reputational damage, data breaches, and loss of user trust if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code could emerge, increasing attack likelihood.

Organizations should immediately audit their WordPress installations to identify the presence of the Easy Plugin Stats plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack vector. If removal is not feasible, restrict contributor-level access to trusted users only and monitor for suspicious shortcode usage or unexpected page content changes. Implement Web Application Firewall (WAF) rules to detect and block attempts to inject malicious scripts via the 'eps' shortcode attributes. Additionally, apply Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly review user roles and permissions to minimize the number of users with contributor or higher privileges. Once a patch becomes available, apply it promptly. Finally, educate site administrators and contributors about the risks of XSS and safe content management practices to reduce inadvertent exploitation.