CVE-2025-9128 is a stored Cross-Site Scripting (XSS) vulnerability identified in the eID Easy plugin for WordPress, affecting all versions up to and including 4.9.3. The vulnerability stems from improper neutralization of input during web page generation, specifically through the 'id' parameter. Authenticated attackers with at least Contributor-level privileges can inject arbitrary JavaScript code into pages by exploiting insufficient input sanitization and lack of proper output escaping. Because the malicious scripts are stored persistently, they execute every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the affected page and can affect the confidentiality and integrity of user data. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change with partial confidentiality and integrity impacts. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The flaw is categorized under CWE-79, which is a common and critical web application security issue. The vulnerability affects a widely used WordPress plugin, increasing the risk to many websites that rely on eID Easy for identity-related functionality.

The primary impact of CVE-2025-9128 is the compromise of user confidentiality and integrity on websites using the vulnerable eID Easy plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, theft of sensitive information such as authentication tokens, and unauthorized actions performed with elevated privileges. This can result in website defacement, data leakage, or further compromise of the underlying infrastructure. Since WordPress powers a significant portion of the web, and eID Easy is used for identity management, organizations relying on this plugin face risks of reputational damage, loss of customer trust, and regulatory compliance issues if user data is exposed. The vulnerability does not affect availability directly but can indirectly disrupt services if exploited to escalate privileges or deploy additional malware. The medium severity score reflects the need for timely remediation to prevent exploitation, especially in environments where multiple users have Contributor or higher roles.

To mitigate CVE-2025-9128, organizations should immediately update the eID Easy plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious input patterns targeting the 'id' parameter can provide temporary protection. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing user roles and permissions to enforce the principle of least privilege reduces the attack surface. Website owners should also monitor logs for unusual activities and conduct security scans to detect potential exploitation. Finally, developers maintaining the plugin should adopt secure coding practices, including proper input validation and output encoding, to prevent similar vulnerabilities in the future.