CVE-2025-8294 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Download Counter plugin for WordPress, developed by anatolyk. This vulnerability affects all versions up to and including version 1.3 of the plugin. The root cause is insufficient input sanitization and output escaping of the 'name' parameter, which allows an authenticated attacker with at least Contributor-level access to inject arbitrary malicious scripts into pages generated by the plugin. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity level. The vector indicates that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), requires privileges (PR:L) but no user interaction (UI:N), and impacts confidentiality and integrity with a scope change (S:C). No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is particularly concerning because it requires only Contributor-level access, which is a relatively low privilege level in WordPress, making it easier for attackers who have compromised or registered such accounts to exploit the flaw. Stored XSS vulnerabilities are more dangerous than reflected XSS because the malicious payload persists on the server and can affect multiple users over time.

For European organizations using WordPress sites with the anatolyk Download Counter plugin, this vulnerability poses a significant risk to website integrity and user trust. Exploitation could lead to unauthorized disclosure of sensitive information, such as user session tokens or personal data, violating GDPR requirements. Attackers could leverage the XSS to perform actions on behalf of legitimate users, potentially leading to account takeover or privilege escalation. This could disrupt business operations, damage reputation, and result in regulatory penalties. Since the vulnerability requires only Contributor-level access, attackers may exploit weak user account controls or social engineering to gain initial foothold. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other parts of the web application. Although no active exploits are reported, the medium severity and ease of exploitation suggest that European organizations should proactively address this issue to prevent future attacks.

1. Immediate mitigation involves restricting Contributor-level user registrations and ensuring strict user access controls to limit the number of users with such privileges. 2. Monitor and audit Contributor accounts for suspicious activity or unauthorized access. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'name' parameter in the Download Counter plugin. 4. Apply manual input validation and output encoding for the 'name' parameter if custom development is possible, ensuring all user-supplied input is sanitized before storage and properly escaped on output. 5. Regularly update the plugin once the vendor releases a patch addressing this vulnerability. 6. Conduct security awareness training for site administrators and contributors to recognize phishing or social engineering attempts that could lead to account compromise. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 8. Perform regular security scans and penetration testing focused on XSS vulnerabilities to detect similar issues early.