CVE-2025-9852 is a stored cross-site scripting (XSS) vulnerability identified in the Yoga Schedule Momoyoga plugin for WordPress, affecting all versions up to and including 2.9.0. The root cause is insufficient sanitization and escaping of user-supplied attributes within the plugin's 'momoyoga-schedule' shortcode. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who visits the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The plugin is widely used in WordPress environments for scheduling yoga classes, making this a relevant threat for many websites that rely on this functionality. The lack of a patch link suggests that a fix may not have been released at the time of reporting, emphasizing the need for interim mitigations.

The impact of this vulnerability is significant for organizations running WordPress sites with the Yoga Schedule Momoyoga plugin installed. Exploitation allows an attacker with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, defacement of website content, and potential spread of malware. Since the attack requires authenticated access, the risk is somewhat mitigated by user role restrictions; however, contributor roles are common in many WordPress setups. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the entire site. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits in the future. Organizations with high traffic or sensitive user data are at greater risk due to the potential for widespread impact and data compromise.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates released by the plugin vendor as soon as they become available. In the absence of a patch, administrators should restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'momoyoga-schedule' shortcode can provide additional protection. Site administrators should audit existing content generated by the plugin for suspicious scripts and remove any malicious code. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting the sources from which scripts can be loaded. Additionally, hardening WordPress security by disabling unnecessary shortcodes, enforcing strong user authentication, and monitoring logs for unusual activity related to the plugin is recommended. Regular security assessments and user role reviews will further reduce exposure.