CVE-2025-8143 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Soledad WordPress theme developed by pencidesign. The vulnerability exists in all versions up to and including 8.6.7 due to insufficient sanitization and escaping of the ‘pcsml_smartlists_h’ parameter during web page generation. This parameter is vulnerable to malicious input that authenticated users with Contributor-level access or higher can exploit to inject arbitrary JavaScript code into pages. Because the vulnerability is stored, the injected scripts persist in the website content and execute in the browsers of any users who visit the affected pages, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change affecting confidentiality and integrity but not availability. No public exploits or patches are currently available, increasing the urgency for administrators to apply custom mitigations or await official updates. The vulnerability affects a widely used WordPress theme, making it relevant to a broad range of websites, especially those with multiple content contributors. The vulnerability’s exploitation requires authentication but no user interaction, making it a moderate risk for sites with less restrictive contributor roles.

The impact of CVE-2025-8143 includes potential compromise of user confidentiality and data integrity on affected WordPress sites using the Soledad theme. Attackers with Contributor-level access can inject persistent malicious scripts that execute in visitors’ browsers, enabling session hijacking, credential theft, defacement, or redirection to malicious sites. This can erode user trust, damage brand reputation, and potentially lead to further exploitation such as privilege escalation or data exfiltration. Since the vulnerability requires authenticated access, the risk is higher for sites with multiple contributors or less stringent access controls. The scope of affected systems is significant given the popularity of WordPress and the Soledad theme, impacting organizations worldwide that rely on this theme for content management. Although availability is not directly affected, the integrity and confidentiality breaches can have serious operational and compliance consequences, especially for sites handling sensitive user data or financial transactions.

To mitigate CVE-2025-8143, organizations should immediately restrict Contributor-level permissions to trusted users only and review existing contributor roles for unnecessary privileges. Implement strict input validation and output encoding on the ‘pcsml_smartlists_h’ parameter to prevent script injection. Administrators should monitor website content for suspicious or unexpected script tags, especially in user-generated content areas. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads to block malicious requests. Regularly update the Soledad theme once an official patch is released by pencidesign. In the interim, consider disabling or limiting features that utilize the vulnerable parameter. Conduct security awareness training for contributors to recognize and avoid unsafe content practices. Finally, perform regular security audits and penetration testing focused on XSS vulnerabilities to detect and remediate similar issues proactively.