CVE-2025-9852 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Yoga Schedule Momoyoga WordPress plugin, developed by momostefan. This vulnerability exists in all versions up to and including 2.9.0. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'momoyoga-schedule' shortcode. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges (contributor or higher) but no user interaction for exploitation. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability falls under CWE-79, which is a common web application security weakness related to improper neutralization of input during web page generation, leading to XSS.

For European organizations using WordPress sites with the Yoga Schedule Momoyoga plugin, this vulnerability poses a significant risk. Since contributors or higher privileged users can inject malicious scripts, insider threats or compromised contributor accounts could lead to persistent XSS attacks. The impact includes theft of session cookies, enabling attackers to impersonate users, including administrators, potentially leading to full site compromise. Additionally, attackers could perform unauthorized actions, deface websites, or distribute malware to site visitors. Given the widespread use of WordPress across European businesses, especially small and medium enterprises in sectors like wellness, fitness, and e-commerce, exploitation could damage reputation, lead to data breaches, and cause regulatory compliance issues under GDPR. The vulnerability’s scope change means that the entire site’s confidentiality and integrity could be affected, though availability is less impacted. The lack of user interaction for exploitation increases risk, as injected scripts execute automatically when pages are viewed.

European organizations should immediately audit their WordPress installations for the presence of the Yoga Schedule Momoyoga plugin and verify the version. Until an official patch is released, mitigation should include: 1) Restrict contributor-level access strictly to trusted users and review user roles to minimize privilege exposure. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns in requests targeting the 'momoyoga-schedule' shortcode. 3) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 4) Sanitize and validate all user inputs at the application level, possibly by customizing the plugin code if feasible, to enforce strict escaping of shortcode attributes. 5) Monitor logs for unusual activity or injected content. 6) Educate content contributors about the risks of injecting untrusted content. Once a patch is available, prioritize immediate update of the plugin. Additionally, consider isolating or disabling the plugin if it is not critical to operations.