CVE-2025-9875 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Event Tickets, RSVPs, Calendar' by ticketspot, present in all versions up to and including 1.0.2. The vulnerability arises from improper neutralization of user-supplied input in the 'ticket_spot' shortcode attributes, where insufficient input sanitization and output escaping allow an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because this is a stored XSS, the malicious script is saved on the server and executed in the browsers of any users who visit the compromised page, potentially leading to session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability requires authentication at contributor level or above, which means attackers must have some level of access to the WordPress backend, but no user interaction is needed once the malicious script is stored. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impact on confidentiality and integrity but not availability. No known exploits are reported in the wild yet, and no official patches have been linked as of the publication date. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation, a common and impactful web application security flaw.

For European organizations using the affected WordPress plugin, this vulnerability poses a significant risk to website integrity and user trust. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, redirecting users to phishing sites, or performing unauthorized actions on behalf of users. This can lead to data breaches involving personal data protected under GDPR, reputational damage, and potential regulatory penalties. Since many European businesses and event organizers rely on WordPress and related plugins for event management, the scope of impact can be broad, affecting sectors such as entertainment, education, and corporate event management. The vulnerability's exploitation could also facilitate lateral movement within compromised WordPress environments, further endangering internal systems. Given the medium severity and the requirement for authenticated access, the threat is moderate but should not be underestimated, especially in environments with multiple contributors or where contributor accounts are not tightly controlled.

European organizations should immediately audit their WordPress installations to identify the presence of the 'Event Tickets, RSVPs, Calendar' plugin and verify the version in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict contributor-level access strictly to trusted users and review all contributor accounts for suspicious activity. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious script injection patterns in requests related to the 'ticket_spot' shortcode. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Regularly monitor logs and website content for unexpected script injections or modifications. 5) Educate contributors about the risks of inputting untrusted data and enforce strict input validation policies. 6) Consider temporarily disabling or removing the plugin if it is not essential, or replacing it with a more secure alternative until a patch is available. 7) Prepare to apply patches promptly once released and test updates in a staging environment before production deployment.