CVE-2025-8293 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Intl DateTime Calendar plugin for WordPress developed by Theerawat Patthawee. The vulnerability exists due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'date' parameter. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the vulnerable parameter. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.0.1, with no patch currently available. The CVSS v3.1 score of 6.4 reflects a medium severity, considering the network attack vector, low attack complexity, required privileges (low), no user interaction, and partial impact on confidentiality and integrity. The scope is changed as the vulnerability affects resources beyond the attacker’s privileges by impacting other users. No known exploits have been reported in the wild, but the risk remains significant for sites using this plugin. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugin development to prevent injection attacks.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers can inject malicious scripts that execute in the context of other users’ browsers, enabling session hijacking, credential theft, or unauthorized actions such as content manipulation or privilege escalation. While availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations relying on the Intl DateTime Calendar plugin risk exposure to targeted attacks, especially if Contributor-level accounts are compromised or misused. The vulnerability could also facilitate the spread of malware or phishing campaigns by injecting malicious payloads into trusted sites. Since WordPress powers a significant portion of the web, and plugins are a common attack vector, this vulnerability poses a moderate risk to a wide range of organizations, including small businesses, media sites, and enterprises using this plugin. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit user-generated content, especially inputs related to the 'date' parameter, for suspicious or unexpected scripts. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting this plugin’s parameters. 4. Apply strict input validation and output encoding in any custom code interacting with the plugin or its parameters. 5. Encourage the plugin vendor to release a patch addressing the input sanitization and escaping issues; apply the patch promptly once available. 6. Consider temporarily disabling or replacing the Intl DateTime Calendar plugin with a more secure alternative until a fix is released. 7. Educate site administrators and content contributors about the risks of XSS and safe content practices. 8. Regularly update WordPress core and plugins to reduce exposure to known vulnerabilities.