CVE-2025-10179 in My AskAI Plugin
Summary
by MITRE • 09/30/2025
The My AskAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'myaskai' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2025-10179 affects the My AskAI plugin for WordPress, specifically targeting versions up to and including 1.0.0. This represents a critical security flaw that exploits the plugin's shortcode functionality to enable stored cross-site scripting attacks. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's implementation of the 'myaskai' shortcode, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of affected websites.
The technical flaw manifests through the plugin's insufficient validation of user-supplied attributes within the myaskai shortcode implementation. When authenticated users with contributor-level access or higher submit content containing malicious scripts through the shortcode parameters, these inputs are not properly sanitized before being stored in the database. The vulnerability specifically targets the output rendering process where user-supplied attributes are directly embedded into web pages without adequate escaping mechanisms. This allows attackers to inject JavaScript code that persists in the database and executes whenever any user accesses pages containing the vulnerable shortcode, creating a stored XSS scenario that can affect multiple users over time.
The operational impact of this vulnerability is significant for WordPress administrators and website operators who rely on the My AskAI plugin. Attackers with contributor privileges can leverage this flaw to execute arbitrary scripts in the browsers of other users, potentially leading to session hijacking, credential theft, or further exploitation of the compromised systems. The vulnerability affects all users who access pages containing the injected content, making it particularly dangerous in environments where multiple contributors or editors have access to the plugin's shortcode functionality. The stored nature of the vulnerability means that the malicious scripts remain active until manually removed from the database, creating a persistent threat that can be exploited repeatedly.
Mitigation strategies for CVE-2025-10179 should prioritize immediate action including updating to the latest version of the My AskAI plugin where the vulnerability has been addressed through proper input sanitization and output escaping. System administrators should implement strict access controls to limit contributor-level privileges to only trusted users and consider implementing additional security measures such as content security policies to reduce the impact of potential XSS attacks. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of the principle of least privilege as defined in cybersecurity best practices. Organizations should also consider implementing web application firewalls and regular security scanning to detect similar vulnerabilities in other plugins and themes that may be susceptible to similar input validation issues. This vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, particularly in content management systems where user-generated content processing is prevalent.