CVE-2025-8394 is a stored cross-site scripting vulnerability identified in the Productive Style – Optimisations & Content Publishing Support plugin for WordPress. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the display_productive_breadcrumb shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability affects all versions up to and including 1.1.23. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required but no user interaction needed. The scope is changed due to the potential impact on other users viewing the injected content. No public exploits have been reported yet. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that allow user-generated content or shortcode attributes. The lack of a patch link suggests that a fix may be pending or users must implement manual mitigations.

This vulnerability allows authenticated users with contributor-level access or higher to inject malicious scripts that execute in the browsers of any users viewing the affected pages. The impact includes potential theft of session cookies, enabling account takeover, defacement of website content, or redirection to malicious sites. Since WordPress powers a significant portion of websites globally, exploitation could lead to widespread compromise of sites using the vulnerable plugin. The attack requires authentication but no user interaction, increasing the risk within organizations that allow multiple contributors. The integrity and confidentiality of user data and site content are at risk, though availability is not directly impacted. The scope is significant because injected scripts can affect all visitors to compromised pages, potentially leading to reputational damage and loss of user trust for affected organizations.

Organizations should immediately audit their WordPress installations to identify the presence of the Productive Style plugin and verify the version in use. Until an official patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling the plugin or the vulnerable shortcode to prevent exploitation. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode attributes can provide additional protection. Site administrators should also enforce strict input validation and output encoding in custom code or plugin overrides if feasible. Monitoring logs for unusual activity related to shortcode usage and user actions can help detect exploitation attempts. Once a patch is available, prompt updating of the plugin is critical. Additionally, educating contributors about safe content practices and the risks of injecting scripts can reduce accidental exploitation.