CVE-2025-8685 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Wp chart generator plugin for WordPress, developed by emilien. This vulnerability exists in all versions up to and including 1.0.4 due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping on user-supplied attributes within the plugin's wpchart shortcode. An authenticated attacker with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages generated by the plugin. These scripts execute in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability has a CVSS 3.1 base score of 6.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C) affecting confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patch links are provided yet. The vulnerability stems from CWE-79, which relates to improper neutralization of input during web page generation, a common cause of XSS issues. This vulnerability is particularly dangerous in WordPress environments where multiple users have contributor or higher roles, as it allows malicious content injection that persists and affects all visitors to the infected pages.

For European organizations using WordPress with the Wp chart generator plugin, this vulnerability poses a significant risk to website integrity and user trust. Exploitation could lead to unauthorized disclosure of sensitive information (confidentiality impact) and unauthorized modification of content or user sessions (integrity impact). While availability is not directly affected, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be severe. Attackers could leverage this vulnerability to conduct phishing attacks, steal authentication cookies, or perform actions on behalf of legitimate users. Organizations with contributor-level users who can add or edit content are particularly at risk. Since WordPress is widely used across Europe for business, governmental, and personal websites, the potential impact is broad. The vulnerability could also be leveraged as a foothold for further attacks within the network if combined with other vulnerabilities or misconfigurations.

1. Immediate mitigation involves restricting contributor-level access to trusted users only and auditing existing contributors for suspicious activity. 2. Disable or remove the Wp chart generator plugin until a security patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the wpchart shortcode parameters. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 5. Monitor website logs for unusual activity or injection attempts related to the plugin. 6. Once available, promptly apply vendor patches or updates addressing this vulnerability. 7. Educate content contributors about safe input practices and the risks of injecting untrusted content. 8. Consider using alternative charting plugins with a strong security track record and active maintenance. These steps go beyond generic advice by focusing on access control, proactive monitoring, and layered defenses specific to the plugin's attack vector.