CVE-2025-7959 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Station Pro – Advanced Audio Streaming & Player plugin for WordPress, developed by marviorocha. This vulnerability affects all versions up to and including 2.4.2. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'width' and 'height' parameters. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting malicious scripts into these parameters. Because the vulnerability is stored, the injected scripts persist in the plugin's data and execute whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the Contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits are currently in the wild, and no patches have been linked yet. This vulnerability falls under CWE-79, which is a common and critical web application security issue related to improper input validation and output encoding.

For European organizations using WordPress websites with the Station Pro plugin, this vulnerability poses a significant risk. Attackers with Contributor-level access—often granted to content creators or editors—can inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to session hijacking, unauthorized actions, defacement, or data theft. Given the widespread use of WordPress in Europe for business, media, and government websites, exploitation could undermine trust, cause reputational damage, and lead to regulatory compliance issues under GDPR if personal data is compromised. The vulnerability does not affect availability directly but can facilitate further attacks that might. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by proper access controls; however, insider threats or compromised contributor accounts increase the risk. The stored nature of the XSS means that once injected, the malicious code can persist and affect multiple users over time, increasing the potential impact.

European organizations should immediately audit their WordPress installations for the presence of the Station Pro plugin and verify the version in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and review user roles and permissions to minimize the number of users who can inject content. 2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads in the 'width' and 'height' parameters. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 5) If feasible, temporarily disable or replace the Station Pro plugin with alternative audio streaming solutions until a secure version is available. 6) Educate content contributors about the risks of injecting untrusted content and enforce strict input validation on the application side where possible. 7) Regularly update WordPress core and plugins to incorporate security patches promptly once released.