CVE-2025-8720 identifies a stored Cross-Site Scripting (XSS) vulnerability in the morehawes Plugin README Parser for WordPress, present in all versions up to and including 1.3.15. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'target' parameter. Authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into plugin-generated pages. This malicious code is stored persistently and executed in the context of any user who views the infected page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability does not require user interaction beyond page access and does not impact availability but compromises confidentiality and integrity. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and scope change due to affecting other users. No public exploits have been reported yet, but the vulnerability poses a moderate risk to WordPress sites using this plugin. The lack of a current patch necessitates immediate mitigation steps to reduce exposure.

The stored XSS vulnerability allows attackers with Contributor-level access to inject malicious scripts that execute in the browsers of users viewing affected pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access escalation. It may also allow attackers to perform actions on behalf of other users, deface content, or distribute malware. Since the vulnerability affects a popular WordPress plugin, many websites could be compromised, especially those with multiple contributors. The impact is primarily on confidentiality and integrity, with no direct denial of service or availability impact. Organizations relying on WordPress for content management, especially those with collaborative editing, face increased risk of data breaches and reputational damage. The medium severity score indicates a significant but not critical threat, emphasizing the need for timely remediation.

To mitigate this vulnerability, organizations should immediately restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Administrators should audit existing content generated by the Plugin README Parser for suspicious or unexpected scripts and remove any malicious code found. Implementing Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the 'target' parameter can provide temporary protection. Monitoring logs for unusual activity related to the plugin is advisable. Since no official patch is currently available, organizations should track vendor updates closely and apply patches promptly once released. Additionally, employing Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting script execution sources. Educating users about the risks of XSS and enforcing the principle of least privilege for WordPress roles will further reduce exposure.