CVE-2025-9061 is a stored cross-site scripting vulnerability identified in the Wilmer Core plugin for WordPress, developed by Mikado Themes. This vulnerability affects all versions up to and including 2.4.5. The root cause is insufficient sanitization and escaping of user-supplied attributes within shortcodes, which are a WordPress feature allowing users to embed dynamic content. Authenticated users with contributor-level or higher permissions can exploit this flaw by injecting arbitrary JavaScript code into shortcode attributes. Because the malicious script is stored persistently in the website’s content, it executes every time any user accesses the infected page, potentially compromising session tokens, cookies, or performing actions on behalf of users without their consent. The vulnerability is network exploitable (no physical or local access required), has low attack complexity, requires privileges (contributor or above), and does not require user interaction to trigger. The scope is considered changed because the injected script can affect other users visiting the page. The CVSS 3.1 base score is 6.4, reflecting medium severity with impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level users to create or edit content. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

The primary impact of CVE-2025-9061 is the compromise of confidentiality and integrity of affected WordPress sites. Exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, enabling theft of session cookies, user credentials, or other sensitive data. This can lead to account takeover, privilege escalation, or unauthorized actions performed on behalf of legitimate users. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who view the compromised content, increasing the attack surface. Organizations relying on the Wilmer Core plugin for content management or website functionality face risks of reputational damage, data breaches, and potential regulatory non-compliance if user data is exposed. The medium CVSS score reflects that while the vulnerability requires authenticated access, the low complexity and lack of user interaction make it a realistic threat. The absence of known exploits in the wild currently limits immediate risk but does not preclude future exploitation. Large-scale WordPress deployments, especially those with multiple contributors, are at higher risk. The vulnerability could also be leveraged as a foothold for further attacks within an organization’s network.

To mitigate CVE-2025-9061, organizations should first verify if their WordPress installations use the Wilmer Core plugin and identify the version. If an official patch or update is released by Mikado Themes, it should be applied immediately. Until a patch is available, restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. Disable or limit the use of shortcodes in user-generated content if feasible. Implement web application firewall (WAF) rules to detect and block suspicious script injection patterns in shortcode attributes. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. Regularly audit and sanitize existing content for injected scripts. Monitor logs and user activity for signs of exploitation or anomalous behavior. Educate content contributors about secure content practices and the risks of injecting untrusted code. Consider isolating or sandboxing user-generated content areas to limit the impact of potential XSS attacks. Finally, maintain up-to-date backups to enable recovery if compromise occurs.