CVE-2025-7661 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Partnerský systém Martinus WordPress plugin developed by maxomatos. This vulnerability exists in all versions up to and including 1.7.1. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'martinus' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages via the shortcode attributes. These scripts are then stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to sites using this plugin, especially those with multiple contributors or editors. The CWE classification is CWE-79, which is a common and well-understood web application security issue related to improper input validation and output encoding.

For European organizations using WordPress sites with the Partnerský systém Martinus plugin, this vulnerability can lead to unauthorized script execution within their web environments. The impact includes potential theft of user credentials, session tokens, or other sensitive information, which could facilitate further compromise of the website or connected systems. Since the exploit requires contributor-level access, insider threats or compromised contributor accounts pose a significant risk. The persistent nature of stored XSS means that all visitors to the infected pages are at risk, potentially damaging the organization's reputation and trustworthiness. For e-commerce or content-driven sites, this could result in data leakage, defacement, or redirection to malicious sites, impacting business continuity and compliance with data protection regulations such as GDPR. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect components beyond the initial plugin context, potentially impacting the broader WordPress environment or integrated services.

European organizations should immediately audit their WordPress installations to identify the presence of the Partnerský systém Martinus plugin and verify its version. Since no official patch links are currently available, organizations should consider the following specific mitigations: 1) Restrict contributor-level access strictly to trusted users and review user permissions regularly to minimize the risk of insider exploitation. 2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block malicious script payloads targeting the 'martinus' shortcode parameters. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Sanitize and validate all user inputs at the application level, possibly by customizing or extending the plugin code to enforce proper escaping if immediate patching is not feasible. 5) Monitor website logs and user activity for suspicious behavior indicative of exploitation attempts. 6) Engage with the plugin vendor or community to obtain or contribute to a security patch and plan for prompt updates once available. 7) Educate contributors about secure content practices and the risks of injecting untrusted content. These targeted actions go beyond generic advice and address the specific attack vector and environment of this vulnerability.