CVE-2025-7653 identifies a stored cross-site scripting (XSS) vulnerability in the vloo EPay.bg Payments plugin for WordPress, specifically in all versions up to and including 0.1. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'epay' shortcode. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No patches or known exploits have been reported at the time of publication. The vulnerability is particularly concerning for websites that allow contributor-level users to add or edit content, as they can exploit this to compromise other users, including administrators or customers. Given the plugin’s role in payment processing, exploitation could also undermine trust and transactional security on affected sites.

The primary impact of CVE-2025-7653 is the compromise of confidentiality and integrity on affected WordPress sites using the EPay.bg Payments plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive information such as payment details or credentials, and unauthorized actions performed with victim privileges. This can result in financial fraud, data breaches, and reputational damage for organizations. Since the plugin is related to payment processing, exploitation could disrupt e-commerce operations and erode customer trust. The vulnerability does not affect availability directly but can facilitate further attacks that may degrade service. Organizations with multiple contributors or public-facing content management are at higher risk. The scope of affected systems is limited to WordPress sites using this specific plugin, but given WordPress’s global popularity and the plugin’s use in payment contexts, the potential impact is significant for targeted sectors such as retail, finance, and services relying on online payments.

To mitigate CVE-2025-7653, organizations should first check for and apply any official patches or updates released by the plugin vendor once available. In the absence of a patch, immediate steps include disabling or removing the EPay.bg Payments plugin to prevent exploitation. Restrict contributor-level permissions to trusted users only, and consider elevating the minimum required role for content editing to reduce risk. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the 'epay' shortcode parameters. Conduct regular security audits and code reviews of plugins, especially those handling payment data. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Educate site administrators and contributors about the risks of injecting untrusted content. Monitor logs for unusual activity indicative of attempted exploitation. Finally, consider isolating payment processing functions to dedicated, hardened environments to minimize exposure.