CVE-2025-9543 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the FlexTable WordPress plugin prior to version 3.19.2. The root cause is the plugin's failure to properly sanitize and escape links imported from Google Sheet cells. This allows an attacker with high privileges—such as an administrator—to inject malicious JavaScript code that is stored persistently within the WordPress site. Notably, this vulnerability can be exploited even when the unfiltered_html capability is disabled, a common restriction in multisite WordPress environments designed to limit HTML injection risks. The stored XSS can lead to a range of attacks including session hijacking, privilege escalation, defacement, or redirection to malicious sites. Although no public exploits have been reported yet, the vulnerability is significant due to the high privileges required and the persistent nature of the attack. The vulnerability was reserved in August 2025 and published in January 2026, but no CVSS score has been assigned. The affected versions are all prior to 3.19.2, and no official patch links were provided in the source data, indicating that users should seek updates directly from the plugin maintainers or official WordPress plugin repositories. The vulnerability is tracked under CWE-79, which covers Cross-Site Scripting issues. The plugin’s integration with Google Sheets for importing links is the attack vector, highlighting the risk of external data sources not being properly sanitized before rendering in the WordPress environment.

For European organizations, this vulnerability poses a significant risk especially for those relying on WordPress sites with the FlexTable plugin integrated for data import from Google Sheets. The stored XSS can compromise the confidentiality of sensitive data by enabling session hijacking or credential theft of administrators. Integrity can be affected through unauthorized content modification or injection of malicious scripts that alter site behavior. Availability might be impacted if attackers use the vulnerability to deface sites or disrupt normal operations. Multisite WordPress setups, common in large organizations and educational institutions across Europe, are particularly vulnerable since the unfiltered_html capability is often disabled to mitigate risks, yet this vulnerability bypasses that control. The threat is amplified in sectors with high-value targets such as finance, government, and healthcare, where WordPress is used for public-facing or internal portals. The lack of known exploits in the wild suggests a window for proactive mitigation, but the presence of high-privilege exploitation potential means that insider threats or compromised admin accounts could be leveraged to exploit this flaw. Overall, the impact on European organizations could range from data breaches to reputational damage and operational disruption.

To mitigate CVE-2025-9543, European organizations should immediately update the FlexTable plugin to version 3.19.2 or later once available, as this version addresses the sanitization and escaping issues. Until the update is applied, restrict administrative access to trusted personnel only and monitor admin activities for suspicious behavior. Implement additional input validation and sanitization controls on data imported from external sources like Google Sheets, potentially using custom filters or security plugins that enforce strict content policies. Deploy Content Security Policies (CSP) to limit the execution of unauthorized scripts on WordPress sites. Regularly audit multisite WordPress configurations to ensure that security capabilities like unfiltered_html are properly enforced and complemented by other security layers. Conduct security awareness training for administrators to recognize and avoid risky behaviors that could lead to exploitation. Finally, maintain regular backups and incident response plans to quickly recover from any potential compromise resulting from this vulnerability.