CVE-2025-9057 is a stored cross-site scripting (XSS) vulnerability identified in the Biagiotti Core plugin developed by Mikado Themes for WordPress. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied shortcode attributes. Versions up to and including 2.1.3 are affected. Authenticated users with contributor-level or higher permissions can inject arbitrary JavaScript code into pages via crafted shortcode attributes. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change indicating impact beyond the vulnerable component. No public exploits are currently known. The vulnerability is significant because contributor-level users are common in multi-author WordPress sites, and stored XSS can have persistent and widespread effects. The lack of patches at the time of reporting necessitates immediate attention from site administrators.

The impact of CVE-2025-9057 is primarily on the confidentiality and integrity of affected websites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, enabling session hijacking, credential theft, defacement, or distribution of malware. This can lead to unauthorized access to user accounts, data leakage, and damage to the website's reputation. Since the vulnerability requires contributor-level access, attackers must first compromise or gain such privileges, which is feasible in many collaborative environments. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the plugin itself, potentially impacting the entire website. Although availability is not directly affected, the indirect consequences such as site defacement or user distrust can have operational impacts. Organizations running WordPress sites with the Biagiotti Core plugin are at risk of targeted attacks, especially those with multiple contributors or less stringent user access controls. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public.

To mitigate CVE-2025-9057, organizations should first check for and apply any official patches or updates from Mikado Themes as soon as they become available. In the absence of patches, administrators should restrict contributor-level permissions to trusted users only and review existing contributor accounts for suspicious activity. Implementing a web application firewall (WAF) with rules to detect and block malicious shortcode payloads can provide temporary protection. Site owners should audit all shortcode usage and sanitize or remove any suspicious content manually. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly monitoring logs for unusual activity and educating contributors about secure content practices will reduce exploitation likelihood. Finally, consider disabling shortcodes or the Biagiotti Core plugin if it is not essential, to eliminate the attack surface until a patch is released.