CVE-2025-9128 is a stored Cross-Site Scripting (XSS) vulnerability affecting the eID Easy plugin for WordPress, versions up to and including 4.9.3. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'id' parameter. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or distribution of malware. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacts confidentiality and integrity with a scope change (affecting other users). There are currently no known exploits in the wild and no official patches published yet. The vulnerability affects all versions of the eID Easy plugin up to 4.9.3, which is used to facilitate electronic identification processes within WordPress environments.

For European organizations, this vulnerability poses a significant risk, especially those relying on the eID Easy plugin to manage electronic identification and authentication workflows on WordPress sites. Exploitation could allow attackers to inject malicious scripts that compromise user sessions, steal sensitive identity data, or manipulate authentication processes. Given the critical role of eID systems in Europe for compliance with eIDAS regulations and digital identity verification, such an attack could undermine trust, lead to data breaches involving personal identifiable information (PII), and disrupt services. The scope of the vulnerability allows attackers with relatively low privileges to affect other users, increasing the risk of widespread impact within an organization’s user base. Additionally, the lack of user interaction required for exploitation facilitates automated attacks once an attacker has contributor access. This could lead to reputational damage, regulatory penalties under GDPR, and operational disruptions, particularly for public sector entities, financial institutions, and service providers heavily reliant on eID solutions.

Organizations should immediately audit their WordPress installations to identify the presence of the eID Easy plugin and verify the version in use. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict Contributor-level and higher access strictly to trusted users, minimizing the attack surface. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'id' parameter in HTTP requests. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Conduct thorough input validation and output encoding at the application level if custom modifications are possible. 5) Monitor logs for unusual activity related to page modifications or script injections. 6) Plan for immediate update or removal of the vulnerable plugin once a patch becomes available. 7) Educate administrators and content contributors about the risks of XSS and safe content practices. These measures go beyond generic advice by focusing on access control tightening, proactive detection, and containment strategies tailored to the specific vulnerability vector.