CVE-2025-7661 identifies a stored Cross-Site Scripting (XSS) vulnerability in the maxomatos Partnerský systém Martinus plugin for WordPress, affecting all versions up to and including 1.7.1. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the plugin's 'martinus' shortcode attributes. Specifically, authenticated users with contributor-level permissions or higher can embed arbitrary JavaScript code into pages or posts via this shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of victims, or deliver further malicious payloads. The vulnerability does not require user interaction beyond viewing the compromised page and has a network attack vector with low complexity. The CVSS 3.1 base score is 6.4, reflecting limited confidentiality and integrity impacts without availability loss. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk in environments where contributor-level users are present. The scope is limited to websites running the affected plugin versions, which are primarily WordPress sites using this specific partner system. The vulnerability is classified under CWE-79, a common and well-understood web application security issue related to improper neutralization of input during web page generation.

The primary impact of CVE-2025-7661 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users viewing those pages. This can lead to theft of authentication tokens, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. While the vulnerability does not directly affect system availability, it compromises the confidentiality and integrity of user sessions and data. Organizations relying on the Partnerský systém Martinus plugin risk reputational damage, user trust erosion, and potential data breaches if exploited. The impact is particularly significant for sites with multiple contributors or where contributor accounts may be compromised or misused. Since the attack requires authenticated access, the threat is mitigated somewhat by access controls, but insider threats or compromised contributor accounts remain a concern. The vulnerability could also be leveraged as a foothold for further attacks within the affected environment.

To mitigate CVE-2025-7661, organizations should immediately update the Partnerský systém Martinus plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injection attempts targeting the 'martinus' shortcode can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Site administrators should also sanitize and validate all user inputs rigorously and consider disabling or removing the vulnerable shortcode if not essential. Regular security reviews and monitoring for anomalous behavior related to contributor accounts and page content changes are recommended. Finally, educating contributors about secure content practices can help reduce accidental injection of malicious code.