CVE-2025-8896 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor' developed by cozmoslabs. This vulnerability exists in all versions up to and including 3.14.3. The root cause is improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping of the 'gdpr_communication_preferences[]' parameter. This parameter is part of the GDPR Communication Preferences module, which must be enabled and have at least one GDPR Communication Preferences field added to the user profile edit form for exploitation to be possible. An authenticated attacker with at least Subscriber-level privileges can inject arbitrary JavaScript code into pages viewed by other users. Because the malicious script is stored, it executes whenever a user accesses the infected page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges (authenticated user), no user interaction, and a scope change due to impact on other users. No known exploits are currently in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress sites with the affected User Profile Builder plugin, this vulnerability poses a significant risk to confidentiality and integrity. Attackers with subscriber-level access—which is often easy to obtain through registration or compromised accounts—can inject malicious scripts that execute in the context of other users, including administrators. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement, or distribution of malware. The GDPR Communication Preferences module's involvement is notable since GDPR compliance is mandatory in Europe, making this module likely to be enabled in many deployments. Exploitation could undermine user trust and lead to data breaches, which have severe regulatory and reputational consequences under GDPR. Although availability impact is low, the compromise of user data and potential for privilege escalation can disrupt business operations and lead to costly incident response and remediation.

European organizations should immediately audit their WordPress installations for the presence of the User Profile Builder plugin and verify if the GDPR Communication Preferences module is enabled with fields added to user profiles. Until a patch is available, administrators should consider disabling the GDPR Communication Preferences module or removing the affected fields to mitigate exploitation. Restricting subscriber-level privileges and monitoring for unusual activity can reduce risk. Implementing Web Application Firewall (WAF) rules to detect and block suspicious inputs targeting the 'gdpr_communication_preferences[]' parameter can provide additional protection. Regularly updating WordPress plugins and monitoring vendor announcements for patches is critical. Additionally, organizations should educate users about the risks of XSS and encourage strong authentication practices to limit account compromise.