CVE-2025-8719 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Translate This gTranslate Shortcode plugin for WordPress, developed by reubenthiessen. This vulnerability affects all versions up to and including version 1.0 of the plugin. The root cause is insufficient input sanitization and output escaping of the 'base_lang' parameter, which is used during web page generation. An attacker with authenticated access at the Contributor level or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are then stored persistently and executed in the context of any user who subsequently accesses the compromised page. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reveals that the attack can be performed remotely over the network with low attack complexity, requires privileges of an authenticated user (Contributor or above), and does not require user interaction to trigger. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, and it impacts confidentiality and integrity to a limited extent but does not affect availability. No known exploits are currently reported in the wild, and no patches have been published at the time of this report. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations using WordPress websites with the Translate This gTranslate Shortcode plugin installed, this vulnerability poses a significant risk. Since Contributor-level access is sufficient to exploit the flaw, any compromised or malicious insider or third-party with such privileges could inject malicious scripts. These scripts could steal session cookies, perform actions on behalf of users, or redirect users to malicious sites, thereby compromising user confidentiality and integrity of the website content. This can lead to data breaches, defacement, loss of customer trust, and potential regulatory non-compliance under GDPR if personal data is exposed. The persistent nature of stored XSS increases the risk as multiple users can be affected over time. Although availability is not impacted, the reputational damage and potential legal consequences can be substantial. European organizations with public-facing WordPress sites, especially those in sectors like e-commerce, finance, healthcare, and government, are particularly at risk due to the sensitivity of their data and regulatory scrutiny.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations to identify if the Translate This gTranslate Shortcode plugin is in use. If present, restrict Contributor-level access strictly to trusted users and review existing Contributor accounts for suspicious activity. Since no official patch is currently available, organizations should consider temporarily disabling or uninstalling the plugin until a secure update is released. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'base_lang' parameter. Additionally, enforce Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs for unusual activities related to page content modifications. Educate content contributors about the risks of injecting untrusted code and enforce strict input validation policies. Once a patch is released, prioritize its deployment and verify that input sanitization and output escaping are properly implemented. Finally, conduct security assessments and penetration testing focused on XSS vulnerabilities to ensure no residual issues remain.