CVE-2025-8719 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Translate This gTranslate Shortcode plugin for WordPress, developed by reubenthiessen. This vulnerability arises from improper neutralization of input during web page generation, specifically involving the 'base_lang' parameter. Versions up to and including 1.0 of the plugin do not sufficiently sanitize or escape user input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time any user accesses the compromised page, potentially leading to session hijacking, defacement, or further exploitation of the victim's browser environment. The vulnerability has a CVSS v3.1 base score of 6.4 (medium severity), reflecting that it can be exploited remotely over the network without user interaction but requires some level of privileges (Contributor or above). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially compromised component, potentially impacting the confidentiality and integrity of data. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability is classified under CWE-79, which is a common and well-understood web application security issue related to insufficient input validation and output encoding.

For European organizations using WordPress websites with the Translate This gTranslate Shortcode plugin, this vulnerability poses a significant risk to web application security. An attacker with Contributor-level access—often a role assigned to trusted content creators or editors—could inject malicious scripts that execute in the browsers of site visitors, including administrators and customers. This can lead to theft of authentication cookies, unauthorized actions performed on behalf of users, defacement of web content, or distribution of malware. The impact is particularly critical for organizations handling sensitive user data or financial transactions, as confidentiality and integrity could be compromised. Additionally, the persistent nature of stored XSS increases the attack surface and duration of exposure. Given the widespread use of WordPress in Europe across industries such as e-commerce, media, education, and government, exploitation could damage reputation, lead to regulatory non-compliance (e.g., GDPR breaches), and cause financial losses. The medium CVSS score reflects the need for timely mitigation, especially since exploitation does not require user interaction but does require authenticated access, which may be obtained through phishing or credential compromise.

1. Immediately audit WordPress installations to identify the presence of the Translate This gTranslate Shortcode plugin, especially versions up to 1.0. 2. Restrict Contributor-level and higher permissions strictly to trusted users; review and minimize the number of users with such access. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'base_lang' parameter or other input fields associated with this plugin. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5. Monitor logs for unusual activity or injection attempts related to the plugin. 6. Since no official patch is currently available, consider temporarily disabling or removing the plugin until a secure version is released. 7. Educate content contributors about the risks of XSS and safe content submission practices. 8. Regularly update WordPress core and plugins to incorporate security fixes promptly once available. 9. Conduct penetration testing focused on stored XSS vectors to verify the effectiveness of mitigations.