CVE-2025-10138 in This-or-That Plugin
Summary
by MITRE • 10/22/2025
The This-or-That plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'thisorthat' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/22/2025
The CVE-2025-10138 vulnerability affects the This-or-That plugin for WordPress, specifically targeting versions up to and including 1.0.4. This represents a critical security flaw that allows authenticated attackers with contributor-level permissions or higher to execute stored cross-site scripting attacks. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's 'thisorthat' shortcode implementation, creating a persistent security risk that can affect all users who access compromised pages.
The technical flaw exists within the plugin's shortcode processing functionality where user-supplied attributes are not properly sanitized before being stored in the database. When these attributes are later retrieved and rendered in web pages, the lack of proper output escaping allows malicious scripts to persist and execute in the context of other users' browsers. This stored XSS vulnerability operates through the standard WordPress shortcode system where the 'thisorthat' shortcode processes user input parameters that are then embedded directly into HTML output without sufficient sanitization measures. The vulnerability is particularly dangerous because it requires only contributor-level access, which is often granted to trusted users who may not be fully aware of the security implications of their actions.
The operational impact of this vulnerability extends beyond simple script injection as it can enable attackers to perform various malicious activities including session hijacking, credential theft, redirection to malicious sites, and data exfiltration. Since the vulnerability affects pages that will execute whenever any user accesses an injected page, the attack surface can be extensive and the damage can compound over time. The fact that this affects authenticated users with contributor privileges means that attackers can leverage legitimate user accounts to maintain persistence and avoid detection, making the vulnerability particularly insidious in environments where contributor-level users have elevated privileges within the WordPress ecosystem. The stored nature of the vulnerability means that once a malicious payload is injected, it remains active until manually removed, potentially affecting all users who encounter the compromised content.
Security mitigation strategies for this vulnerability should include immediate plugin updates to versions that address the sanitization and escaping issues, implementation of proper input validation at multiple layers, and consideration of additional security measures such as content security policies. Organizations should also review user permissions and implement principle of least privilege approaches to limit the impact of compromised contributor accounts. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1548.001 related to abuse of credentials and privilege escalation. Regular security audits of WordPress plugins should be conducted to identify similar sanitization and escaping deficiencies, and automated scanning tools should be employed to detect stored XSS vulnerabilities in web applications. Additionally, implementing proper logging and monitoring mechanisms can help detect unauthorized modifications to content that may indicate exploitation attempts.