CVE-2025-9058 is a stored cross-site scripting vulnerability identified in the Mikado Core plugin for WordPress, a widely used content management system. The vulnerability exists due to improper neutralization of input during web page generation, specifically within shortcode attributes that are not sufficiently sanitized or escaped before output. This allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling unauthorized actions such as privilege escalation or content manipulation. The vulnerability affects all versions up to and including 1.5.2 of Mikado Core. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or known exploits are currently reported, but the vulnerability poses a significant risk due to the common use of WordPress and Mikado themes in website development. The flaw highlights the importance of rigorous input validation and output encoding in plugin development to prevent injection attacks.

The impact of CVE-2025-9058 is primarily on the confidentiality and integrity of affected WordPress sites using the Mikado Core plugin. Successful exploitation can lead to session hijacking, enabling attackers to impersonate legitimate users or administrators, potentially resulting in unauthorized content changes, data theft, or further compromise of the website. Since the vulnerability is stored XSS, the malicious payload persists on the server and affects all users who access the infected page, increasing the attack surface. This can damage the reputation of organizations, lead to data breaches, and disrupt normal website operations. Although availability is not directly impacted, the indirect consequences such as defacement or injection of malicious content can cause significant operational and financial harm. Organizations relying on Mikado Core for their WordPress sites, especially those with contributor-level user roles, face increased risk. The medium severity score reflects that exploitation requires authenticated access, limiting exposure but still posing a notable threat in environments with multiple contributors or less restrictive access controls.

To mitigate CVE-2025-9058, organizations should first update the Mikado Core plugin to a version where the vulnerability is patched once available. Until then, restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. Implement additional input validation and output escaping at the application or web server level if possible, such as using Web Application Firewalls (WAFs) configured to detect and block XSS payloads in shortcode parameters. Regularly audit and sanitize existing content for injected scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor logs and user activity for suspicious behavior indicative of exploitation attempts. Educate content contributors about safe input practices and the risks of injecting untrusted code. Finally, maintain regular backups of website content to enable rapid recovery if compromise occurs.