CVE-2025-7959 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Station Pro – Advanced Audio Streaming & Player plugin for WordPress, developed by marviorocha. The vulnerability affects all versions up to and including 2.4.2. It stems from insufficient sanitization and output escaping of the 'width' and 'height' parameters used in web page generation. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via these parameters. When other users access the infected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with network attack vector, low attack complexity, and privileges required but no user interaction needed. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the need for proper input validation and output encoding in WordPress plugins, especially those handling user-supplied parameters that affect page rendering.

The primary impact of CVE-2025-7959 is on the confidentiality and integrity of affected WordPress sites using the Station Pro plugin. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the context of other users’ browsers. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of victims, and potential spread of malware. Although availability is not directly impacted, the trustworthiness and security posture of the affected websites can be severely undermined. Organizations relying on this plugin for audio streaming and player functionality risk compromise of user accounts and data leakage. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or less stringent access controls. The vulnerability could be leveraged in targeted attacks against organizations with active content contributors, potentially affecting media, education, and entertainment sectors that use WordPress extensively.

To mitigate CVE-2025-7959, organizations should immediately restrict Contributor-level user permissions to trusted individuals and review existing user roles to minimize unnecessary privileges. Since no official patch is currently available, administrators should consider disabling or replacing the Station Pro plugin until a fix is released. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns in the 'width' and 'height' parameters can provide interim protection. Additionally, site owners should enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly auditing plugin updates and subscribing to security advisories from the plugin vendor and WordPress security communities is essential. Developers maintaining custom or forked versions of the plugin should apply proper input validation and output encoding on all user-supplied parameters to prevent script injection. Finally, educating content contributors about safe input practices and monitoring logs for unusual activities can help detect exploitation attempts early.