CVE-2025-7661 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Partnerský systém Martinus WordPress plugin developed by maxomatos. This vulnerability affects all versions up to and including 1.7.1. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'martinus' shortcode. An authenticated attacker with contributor-level privileges or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages via the shortcode attributes. Because the malicious script is stored, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or further exploitation of user accounts. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requires low attack complexity, and privileges at the contributor level, but no user interaction is needed for exploitation. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component, such as other users viewing the injected content. No known public exploits have been reported yet, and no patches are currently linked, indicating that mitigation may require manual intervention or updates from the vendor once available.

For European organizations, this vulnerability poses a significant risk especially for those using WordPress sites with the Partnerský systém Martinus plugin, which is likely used by businesses involved in affiliate or partner marketing programs. The ability of an attacker with contributor-level access to inject persistent malicious scripts can lead to compromised user sessions, theft of sensitive information, unauthorized actions on behalf of users, and reputational damage. Given the stored nature of the XSS, all visitors to affected pages are at risk, potentially including customers, partners, and employees. This could lead to data breaches under GDPR regulations, resulting in legal and financial penalties. Additionally, the compromise of partner systems can disrupt business operations and trust relationships. The medium severity score reflects that while the vulnerability does not directly impact system availability, the confidentiality and integrity of user data and site content are at risk. The lack of required user interaction increases the likelihood of exploitation once an attacker gains contributor access, which may be obtained through phishing or credential compromise.

European organizations should immediately audit their WordPress installations to identify the presence of the Partnerský systém Martinus plugin and verify the version in use. Until an official patch is released, it is recommended to restrict contributor-level access strictly to trusted users and review existing contributor accounts for suspicious activity. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs can help mitigate exploitation attempts. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regularly monitoring logs for unusual shortcode usage patterns and conducting security awareness training to prevent credential compromise will further reduce risk. Once a vendor patch is available, prompt updating of the plugin is critical. Organizations should also consider isolating or disabling the vulnerable shortcode if feasible, or replacing the plugin with a more secure alternative to eliminate exposure.