CVE-2025-8719 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Translate This gTranslate Shortcode plugin for WordPress, maintained by reubenthiessen. The vulnerability exists due to improper neutralization of input during web page generation, specifically through the 'base_lang' parameter. This parameter is insufficiently sanitized and escaped before being rendered in the page output, allowing an authenticated attacker with at least Contributor-level privileges to inject arbitrary JavaScript code. Because the injected scripts are stored persistently, they execute in the context of any user who accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions. The vulnerability affects all versions up to and including 1.0. The CVSS v3.1 score is 6.4 (medium severity), with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact includes limited confidentiality and integrity loss but no availability impact. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability was reserved and published in August 2025. The CWE classification is CWE-79, indicating improper input neutralization leading to XSS.

This vulnerability allows attackers with Contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users viewing those pages. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the attack requires authenticated access, the risk is somewhat limited to environments where user roles are not tightly controlled. However, many WordPress sites allow Contributor or higher roles for content creators, making this a realistic threat. The scope change means the vulnerability can affect resources beyond the initial component, potentially impacting the entire site. Organizations relying on this plugin risk reputational damage, data leakage, and user trust erosion. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as exploit code could emerge. The medium severity reflects a moderate but actionable risk.

Organizations should immediately audit user roles and restrict Contributor-level and higher privileges to trusted users only. Disable or remove the Translate This gTranslate Shortcode plugin if it is not essential. Monitor WordPress pages for unexpected script injections or unusual content changes. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'base_lang' parameter. Until an official patch is released, consider applying custom input validation and output encoding in the plugin code to sanitize 'base_lang' inputs. Regularly update WordPress and all plugins to the latest versions. Educate content contributors about the risks of injecting untrusted content. Conduct security scans and penetration tests focusing on stored XSS vectors. Maintain logs and alerts for anomalous user behavior that could indicate exploitation attempts.