CVE-2025-8691 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP Scriptcase plugin for WordPress, developed by softmus. This vulnerability exists in all versions up to and including 2.0.0 due to insufficient sanitization and escaping of the 'url' parameter during web page generation. Specifically, the plugin fails to properly neutralize input, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes automatically whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is remotely exploitable over the network without user interaction, requiring only authenticated access with limited privileges, which broadens the attacker base beyond administrators. The CVSS 3.1 base score is 6.4, reflecting medium severity with low attack complexity and no user interaction needed. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No public exploits are currently known, but the vulnerability is significant given the widespread use of WordPress and the plugin. The lack of available patches at the time of publication increases the urgency for mitigation. The CWE-79 classification confirms this is a classic XSS issue stemming from improper input validation and output encoding.

The primary impact of CVE-2025-8691 is the compromise of confidentiality and integrity for users of affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of authentication tokens, unauthorized actions performed with victim privileges, and defacement or redirection of web content. While availability is not directly affected, the reputational damage and potential data breaches can have significant business consequences. Organizations relying on WP Scriptcase may face increased risk of targeted attacks, especially if Contributor roles are widely assigned or if the site has high traffic. The vulnerability also lowers the barrier for attackers to escalate privileges or move laterally within a compromised WordPress environment. Given WordPress’s dominance in web content management, the global impact could be substantial, particularly for sites that do not promptly restrict Contributor access or monitor for suspicious activity. The absence of known exploits in the wild currently limits immediate widespread damage but does not preclude future exploitation.

To mitigate CVE-2025-8691, organizations should first monitor for updates or patches released by softmus and apply them immediately upon availability. Until patches are released, restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'url' parameter in WP Scriptcase plugin requests. Conduct regular audits of user roles and permissions to ensure least privilege principles are enforced. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting sources of executable code. Additionally, monitor website logs for unusual activity or unexpected changes in page content that could indicate exploitation attempts. Educate site administrators and contributors about the risks of XSS and safe content practices. Finally, consider isolating or disabling the WP Scriptcase plugin if it is not essential to reduce the attack surface.