CVE-2025-8685 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Wp chart generator plugin for WordPress, developed by emilien. This vulnerability affects all versions up to and including 1.0.4. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the plugin's wpchart shortcode. An authenticated attacker with contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages or posts. These scripts are then stored persistently and executed in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or distribution of malware. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges of a contributor or higher, but no user interaction is needed for the payload to execute once injected. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress sites with the vulnerable Wp chart generator plugin, this vulnerability poses a significant risk to the confidentiality and integrity of their web applications. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, including administrators and other privileged users. This can lead to theft of authentication cookies, unauthorized actions on behalf of users, defacement, or distribution of malware. Given the widespread use of WordPress across European businesses, government portals, and e-commerce platforms, exploitation could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and financial losses. The vulnerability does not directly impact availability but can indirectly cause service disruptions if exploited for further attacks. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or where account compromise is possible. The scope change indicates that the vulnerability could affect other components or data beyond the plugin itself, increasing potential damage.

European organizations should immediately audit their WordPress installations to identify the presence of the Wp chart generator plugin and its version. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict contributor-level and higher privileges strictly to trusted users to reduce the risk of malicious input injection. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious shortcode attribute patterns or script tags in user inputs related to the wpchart shortcode. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 4) Conduct thorough input validation and output encoding on any custom code interacting with the plugin or shortcode. 5) Monitor logs and user activities for unusual behavior indicative of exploitation attempts. 6) Prepare for rapid deployment of patches once available by maintaining an up-to-date plugin inventory and testing environment. 7) Educate content contributors about safe input practices and the risks of injecting untrusted content. These targeted actions go beyond generic advice by focusing on privilege management, proactive detection, and containment specific to this vulnerability's attack vector.