The Wp chart generator plugin for WordPress, up to and including version 1.0.4, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-8685. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of user-supplied attributes in the wpchart shortcode. Authenticated attackers with contributor-level or higher privileges can embed arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially affecting administrators, editors, and visitors. The vulnerability does not require user interaction beyond visiting the page but does require authentication with contributor or higher privileges, which limits the initial attack surface. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact, with no availability impact. No patches or fixes are currently linked, and no active exploitation has been reported. The vulnerability poses a risk of session hijacking, unauthorized actions on behalf of users, defacement, or distribution of malware via injected scripts.

This vulnerability can lead to significant security risks for organizations using the Wp chart generator plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, escalating privileges, or performing unauthorized actions. This can compromise the confidentiality and integrity of user data and site content. Since WordPress powers a large number of websites globally, including corporate, governmental, and personal sites, exploitation could lead to reputational damage, data breaches, and loss of user trust. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but many WordPress sites allow contributor-level access to multiple users or third parties, increasing risk. The vulnerability does not affect availability directly but can facilitate further attacks that degrade service or cause defacement. Without a patch, organizations remain exposed to potential future exploitation as attackers develop proof-of-concept or weaponized payloads.

Organizations should immediately audit user roles and permissions to ensure that only trusted users have contributor-level or higher access. Restricting contributor access reduces the risk of exploitation. Until an official patch is released, consider disabling or uninstalling the Wp chart generator plugin if it is not essential. If the plugin is required, implement web application firewall (WAF) rules to detect and block suspicious shortcode attribute inputs containing script tags or event handlers. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the impact of injected scripts. Regularly monitor logs and site content for unauthorized shortcode modifications or injected scripts. Educate site administrators and contributors about the risks of injecting untrusted content. Stay alert for vendor updates or patches and apply them promptly once available. Additionally, consider scanning the site with security tools to detect stored XSS payloads and remove them.