CVE-2025-9512 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting the Schema & Structured Data for WP & AMP WordPress plugin prior to version 1.50. The vulnerability arises because the plugin does not properly sanitize or handle modifications to HTML tag attributes within user-submitted post comments. This flaw allows unauthenticated attackers to inject malicious JavaScript code that is stored persistently in the comment data. When other users or administrators view the affected posts, the malicious script executes in their browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. The CVSS 3.1 base score is 6.1 (medium), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction (victim viewing the comment). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the confidentiality and integrity of user data. No known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used to add structured data and AMP support to WordPress sites, making many websites potentially vulnerable if not updated. The lack of a patch link suggests that a fixed version (1.50 or later) should be obtained directly from the vendor or official repositories.

For European organizations, this vulnerability poses a risk primarily to websites and web applications running WordPress with the affected plugin version. Exploitation can lead to unauthorized script execution in users' browsers, resulting in theft of session cookies, defacement, phishing, or spreading malware. This can damage organizational reputation, lead to data breaches involving user information, and cause compliance issues under GDPR due to compromised personal data confidentiality. Media companies, e-commerce platforms, and public sector websites that rely on WordPress structured data and AMP features are particularly at risk. The impact on availability is minimal, but the integrity and confidentiality of user interactions and data can be compromised. Since the attack requires user interaction, social engineering or targeted phishing campaigns could amplify the threat. The medium severity score reflects these factors, but organizations with high traffic or sensitive user data should treat this as a significant risk.

1. Immediately update the Schema & Structured Data for WP & AMP plugin to version 1.50 or later where the vulnerability is fixed. 2. Implement strict input validation and sanitization on all user-generated content, especially post comments, to prevent injection of malicious HTML or JavaScript. 3. Employ a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting comment fields. 4. Enable comment moderation to review and approve comments before they are published publicly. 5. Educate site administrators and users about the risks of clicking on suspicious links or content in comments. 6. Regularly audit and monitor logs for unusual activities or repeated comment submissions containing suspicious scripts. 7. Consider disabling comments if not required or using alternative secure commenting systems. 8. Ensure that Content Security Policy (CSP) headers are configured to restrict execution of unauthorized scripts. 9. Backup website data regularly to enable quick restoration in case of defacement or compromise. 10. Coordinate with hosting providers to apply security patches and monitor for emerging exploit attempts.