CVE-2025-9344 is a stored Cross-Site Scripting (XSS) vulnerability identified in the UsersWP plugin for WordPress, specifically affecting the front-end login form, user registration, user profile, and members directory functionalities. The vulnerability exists due to insufficient input sanitization and output escaping of user-supplied attributes within the 'uwp_profile' and 'uwp_profile_header' shortcodes. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by these shortcodes. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all plugin versions up to and including 1.2.42. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and scope change. The vulnerability impacts confidentiality and integrity but not availability. No public exploits have been reported yet, but the presence of stored XSS in a widely used WordPress plugin poses a significant risk. The plugin's popularity in WordPress sites globally increases the potential attack surface. The vulnerability was published on August 28, 2025, and assigned by Wordfence. No official patches or updates are currently linked, so users must monitor vendor advisories for fixes.

The impact of CVE-2025-9344 is primarily on the confidentiality and integrity of affected WordPress sites using the vulnerable UsersWP plugin. An attacker with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of victims. This can lead to account compromise, data leakage, and erosion of user trust. Although availability is not directly impacted, the resulting compromise could lead to site defacement or further exploitation that affects uptime. Organizations relying on this plugin for user management face risks of targeted attacks, especially if they have contributors with elevated privileges. The vulnerability's exploitation requires authentication but no user interaction beyond page viewing, making it easier for attackers to leverage once inside. The scope includes all sites running affected plugin versions, which could be numerous given WordPress's market share. Without mitigation, attackers could use this vulnerability as a foothold for broader attacks within the organization’s web infrastructure.

To mitigate CVE-2025-9344, organizations should first verify if they are using the UsersWP plugin version 1.2.42 or earlier. Immediate steps include restricting contributor-level permissions to trusted users only, minimizing the number of users who can inject content. Administrators should monitor and audit user-generated content for suspicious scripts or anomalies in the 'uwp_profile' and 'uwp_profile_header' shortcode outputs. Implementing a Web Application Firewall (WAF) with custom rules to detect and block common XSS payloads targeting these shortcodes can provide temporary protection. Site owners should subscribe to vendor updates and apply patches promptly once available. Additionally, employing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script sources. Regular backups and incident response plans should be in place to recover from potential compromises. For long-term security, consider alternative plugins with better security track records or custom development that enforces strict input validation and output encoding.