CVE-2025-8896 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor' developed by cozmoslabs. This vulnerability exists in all versions up to and including 3.14.3 and arises from improper input sanitization and output escaping of the 'gdpr_communication_preferences[]' parameter. Specifically, when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field is added to the user profile edit form, authenticated users with Subscriber-level access or higher can inject arbitrary malicious scripts into the web pages. These scripts are stored persistently and executed whenever any user accesses the infected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed in the context of the victim's browser session. The vulnerability is exploitable remotely over the network without user interaction, requiring only low privileges (Subscriber role) to exploit, which broadens the attack surface within WordPress sites using this plugin. The CVSS v3.1 base score is 6.4 (medium severity), reflecting the network attack vector, low attack complexity, required privileges, no user interaction, and impact primarily on confidentiality and integrity, but not availability. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-79, which is a common and dangerous web application security flaw related to improper neutralization of input during web page generation.

For European organizations, this vulnerability poses a significant risk particularly to those relying on WordPress websites with the affected plugin installed and the GDPR Communication Preferences module enabled. Since the vulnerability allows stored XSS attacks, it can lead to unauthorized access to user sessions, theft of sensitive data, and manipulation of user roles or content. This is especially critical for organizations handling personal data under GDPR regulations, as exploitation could result in data breaches and non-compliance penalties. The ability for low-privileged users to inject scripts increases the risk of insider threats or compromised accounts being leveraged for attacks. Additionally, the persistent nature of stored XSS means that multiple users can be affected over time, potentially damaging organizational reputation and trust. Given the widespread use of WordPress in Europe for business, governmental, and non-profit websites, the impact could extend to sectors such as finance, healthcare, education, and public administration. The vulnerability does not affect availability directly but compromises confidentiality and integrity, which are crucial for maintaining secure and trustworthy online services.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations to identify the presence of the 'User Profile Builder' plugin and verify if the GDPR Communication Preferences module is enabled with at least one GDPR field active. If so, they should upgrade the plugin to a patched version once available from the vendor or apply any official patches or workarounds. In the absence of an official patch, temporarily disabling the GDPR Communication Preferences module or removing GDPR fields from the profile forms can reduce exposure. Additionally, implementing a Web Application Firewall (WAF) with custom rules to detect and block malicious script payloads targeting the 'gdpr_communication_preferences[]' parameter can provide interim protection. Organizations should also enforce strict user role management and monitor for unusual activity from Subscriber-level accounts. Regular security audits and scanning for XSS vulnerabilities using automated tools can help detect exploitation attempts. Educating site administrators about the risks of enabling unnecessary modules and maintaining up-to-date plugins is essential. Finally, logging and monitoring web server and application logs for suspicious input patterns related to this parameter can aid in early detection of exploitation attempts.