CVE-2025-9992 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Ghost Kit – Page Builder Blocks, Motion Effects & Extensions' developed by nko. This vulnerability exists in all versions up to and including 3.4.3. The root cause is improper input sanitization and output escaping in the plugin's custom JavaScript (JS) field, which allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When any user accesses a page containing the injected script, the malicious code executes in their browser context. This vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction needed, and a scope change indicating that the vulnerability affects resources beyond the vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. No known exploits are currently in the wild, and no patches have been linked yet. However, the vulnerability poses a significant risk because stored XSS can lead to session hijacking, privilege escalation, defacement, or distribution of malware. Since the attack requires authenticated access at Contributor level or above, it is less likely to be exploited by anonymous attackers but remains a serious threat in environments where multiple users have such privileges. The vulnerability affects WordPress sites using this plugin, which is popular for page building and motion effects, making it a relevant concern for websites relying on this plugin for content management and presentation.

For European organizations, this vulnerability can lead to unauthorized script execution within their web applications, potentially compromising user data confidentiality and integrity. Attackers exploiting this flaw could hijack user sessions, steal sensitive information, or perform actions on behalf of legitimate users, undermining trust and compliance with data protection regulations such as GDPR. Since the vulnerability requires Contributor-level access, insider threats or compromised user accounts pose a significant risk. The scope change in the CVSS vector indicates that the vulnerability could affect multiple components or users beyond the initial compromised account, increasing the potential damage. Additionally, websites targeted by this vulnerability may suffer reputational damage and loss of customer trust if exploited. The lack of a patch at the time of disclosure means organizations must act quickly to mitigate risk. Given the widespread use of WordPress in Europe, especially among SMEs and content-driven businesses, the impact could be broad, affecting sectors such as e-commerce, media, education, and government portals that rely on this plugin for enhanced page functionality.

European organizations should immediately audit their WordPress installations to identify the presence of the Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin and verify the version in use. Until an official patch is released, organizations should restrict Contributor-level access strictly to trusted users and review existing user permissions to minimize the attack surface. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in the custom JS fields can provide temporary protection. Additionally, organizations can sanitize or disable the custom JS field functionality if feasible. Monitoring logs for unusual activity related to page edits or script injections is recommended to detect potential exploitation attempts early. Regular backups of website content and configurations should be maintained to enable quick restoration if compromise occurs. Once a patch becomes available, prompt application is critical. Organizations should also educate content editors about the risks of injecting scripts and enforce strict content input validation policies. Employing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts can further reduce exploitation impact.