CVE-2025-9128

Vulnerability

Overview The eID Easy plugin for WordPress, in all versions up to and including 4.9.3, contains a Stored Cross-Site Scripting (XSS) vulnerability in the id parameter. The root cause is insufficient input sanitization and output escaping on that parameter, allowing malicious scripts to be stored and later executed in the context of an authenticated user's session [1].

Attack

Vector An attacker must have at least Contributor-level access to the WordPress site. By supplying a crafted payload in the id parameter (e.g., via a shortcode like [contract id=""), the script becomes part of a page that other users, including administrators, may view. No additional privileges or user interaction beyond rendering the page are required for the script to execute [1].

Impact

Successful exploitation enables an attacker to inject arbitrary web scripts into pages. These scripts can perform actions such as stealing session cookies, modifying page content, or exfiltrating sensitive data. Because the XSS is stored, the attack can affect every user who visits the compromised page, amplifying its potential harm [1].

Mitigation

The plugin vendor has not released a patch as of the publication date of this CVE. Site administrators are advised to disable the plugin or restrict Contributor-level users from using shortcodes that accept the vulnerable id parameter until a patched version becomes available [1].