CVE-2025-9855 is a stored cross-site scripting vulnerability identified in the Enhanced BibliPlug plugin for WordPress, affecting all versions up to and including 1.3.8. The root cause is insufficient sanitization and escaping of user-supplied input in the 'bibliplug_authors' shortcode, which allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity but not availability. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability is particularly dangerous because contributor-level users are common in WordPress sites, and the stored nature of the XSS means persistent risk to all users accessing the infected pages.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites using the Enhanced BibliPlug plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, theft of sensitive data, unauthorized content modification, or further compromise of the site. Since the vulnerability does not affect availability, denial-of-service is unlikely. However, the compromise of administrative accounts or sensitive data can have severe operational and reputational consequences. Organizations relying on this plugin for bibliographic management on WordPress sites face risks of persistent site defacement, data leakage, and unauthorized administrative actions. The scope change in the CVSS vector indicates that the vulnerability can impact components beyond the plugin itself, potentially affecting the entire WordPress installation and its users.

1. Immediate mitigation should include restricting contributor-level user privileges to trusted individuals only, minimizing the risk of malicious script injection. 2. Disable or remove the Enhanced BibliPlug plugin until a vendor patch is available. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script payloads in shortcode attributes, especially targeting the 'bibliplug_authors' parameter. 4. Conduct a thorough audit of existing content generated by the plugin to identify and remove any injected scripts. 5. Monitor user activity logs for unusual behavior from contributor-level accounts. 6. Once a patch is released by the vendor, apply it promptly and verify that input sanitization and output escaping are correctly implemented. 7. Educate site administrators and contributors about safe content submission practices and the risks of XSS. 8. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. 9. Regularly update WordPress core and all plugins to minimize exposure to known vulnerabilities.