CVE-2025-7653 is a stored Cross-Site Scripting (XSS) vulnerability affecting the EPay.bg Payments plugin for WordPress, developed by vloo. This vulnerability exists in all versions up to and including 0.1 of the plugin. The root cause is insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'epay' shortcode, which is used to embed payment functionalities within WordPress pages. Because the vulnerability is stored XSS, malicious scripts injected by an attacker are saved on the server and executed whenever any user accesses the compromised page. Exploitation requires the attacker to have at least contributor-level authenticated access to the WordPress site, enabling them to inject arbitrary JavaScript code via shortcode attributes. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change with limited confidentiality and integrity impact but no availability impact. This vulnerability can lead to session hijacking, defacement, or redirection attacks, compromising user data and site integrity. No public exploits are known at this time, and no patches have been released yet. The vulnerability was published on July 19, 2025, and assigned by Wordfence.

For European organizations using WordPress sites with the EPay.bg Payments plugin, this vulnerability poses a moderate risk. Since the plugin handles payment processing, exploitation could undermine trust in e-commerce platforms by enabling attackers to steal session tokens, perform unauthorized actions on behalf of users, or inject malicious content that could lead to phishing or malware distribution. The requirement for contributor-level access limits the attack surface to insiders or compromised accounts, but many organizations allow multiple users with such privileges, increasing risk. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting other parts of the website or user sessions. Confidentiality and integrity of user data could be compromised, which is critical for compliance with GDPR and other European data protection regulations. Although availability is not impacted, reputational damage and potential regulatory penalties could be significant. The lack of known exploits reduces immediate risk, but the presence of this vulnerability in payment-related infrastructure makes it a high-priority issue for European businesses relying on this plugin.

European organizations should take immediate steps to mitigate this vulnerability. First, restrict contributor-level access strictly to trusted users and review existing user privileges to minimize the number of accounts that can exploit this flaw. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs that may contain script tags or JavaScript event handlers. Conduct thorough input validation and output encoding on all user-supplied data within the WordPress environment, especially for shortcode attributes, as a temporary protective measure until an official patch is released. Monitor logs for unusual activity related to shortcode usage or unexpected script injections. Consider disabling or removing the EPay.bg Payments plugin if it is not essential or if no timely patch is available. Additionally, educate content contributors about the risks of injecting untrusted content and enforce strict content policies. Once a patch is released, prioritize immediate update and testing in staging environments before deployment. Finally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites.