CVE-2025-7653 is a stored Cross-Site Scripting (XSS) vulnerability affecting the EPay.bg Payments plugin for WordPress, developed by vloo. This vulnerability exists in all versions up to and including 0.1 of the plugin. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'epay' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages that utilize this shortcode. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. According to the CVSS v3.1 scoring, it has a score of 6.4 (medium severity), with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was publicly disclosed on July 19, 2025.

For European organizations using WordPress sites with the EPay.bg Payments plugin, this vulnerability poses a significant risk. Since the plugin is related to payment processing, exploitation could undermine trust in e-commerce platforms, potentially leading to financial fraud or data leakage. The ability for contributors (not necessarily administrators) to inject malicious scripts broadens the threat surface, especially in organizations with multiple content editors. Exploited XSS can lead to session hijacking, unauthorized transactions, or redirection to phishing sites, which can damage brand reputation and result in regulatory penalties under GDPR if personal data is compromised. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially compromised plugin, potentially impacting other parts of the website or integrated systems. Given the critical role of payment plugins, even a medium severity vulnerability can have outsized consequences in the European digital economy.

Immediate mitigation steps include restricting contributor-level access to trusted users only and auditing existing content for suspicious shortcode usage. Site administrators should implement strict input validation and output encoding for all user-supplied data, especially within shortcodes. Until an official patch is released, consider disabling or removing the EPay.bg Payments plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the 'epay' shortcode. Regularly monitor logs for unusual activity related to shortcode usage. Additionally, educate content contributors about the risks of injecting untrusted content and enforce the principle of least privilege. Once a patch is available, prioritize prompt application and verify the fix through security testing. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script sources.