CVE-2025-9852 in Yoga Schedule Momoyoga Plugin
Summary
by MITRE • 09/30/2025
The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2025-9852 affects the Yoga Schedule Momoyoga plugin for WordPress, specifically targeting versions up to and including 2.9.0. This represents a critical security flaw that enables stored cross-site scripting attacks through the plugin's 'momoyoga-schedule' shortcode implementation. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's shortcode functionality. The affected plugin operates within the WordPress ecosystem, where it provides scheduling capabilities for yoga instructors and students, making it a potentially attractive target for malicious actors seeking to exploit user sessions and access sensitive information.
The technical exploitation of this vulnerability occurs through the manipulation of shortcode attributes that are processed by the plugin without proper sanitization measures. When authenticated users with contributor-level access or higher attempt to create or modify content containing the vulnerable shortcode, malicious scripts can be stored within the plugin's data structures. These stored scripts remain dormant until accessed by other users who view pages containing the injected content, at which point the malicious code executes within the victim's browser context. This stored nature of the vulnerability means that the attack vector persists even after the initial injection, allowing attackers to compromise multiple users over time without requiring repeated exploitation attempts.
From an operational impact perspective, this vulnerability creates significant risks for WordPress sites utilizing the affected plugin, particularly those with multiple contributors or users who may inadvertently access compromised content. The attack requires only contributor-level privileges, which are often granted to trusted users within WordPress environments, making the vulnerability particularly dangerous as it can be exploited by insiders or compromised accounts with relatively low privilege levels. The stored nature of the XSS attack means that successful exploitation can affect any user who views pages containing the malicious shortcode, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This vulnerability directly violates security principles outlined in CWE-79, which addresses cross-site scripting flaws in web applications.
The exploitation of CVE-2025-9852 aligns with tactics described in the ATT&CK framework under the T1566 technique for initial access through spearphishing attachments or links, though the specific vector here involves content manipulation within a trusted application environment. The vulnerability creates opportunities for attackers to establish persistent access through session manipulation and data exfiltration techniques, potentially enabling broader compromise of the WordPress installation. Organizations using this plugin face risks of unauthorized data access, content manipulation, and potential lateral movement within their network infrastructure. The vulnerability's impact extends beyond simple script execution, as it can serve as a foothold for more sophisticated attacks targeting the underlying WordPress installation and associated systems.
Mitigation strategies for CVE-2025-9852 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. System administrators should implement strict access controls and monitor user activities within WordPress environments, particularly for users with contributor privileges or higher. Regular security audits of installed plugins and themes should be conducted to identify similar vulnerabilities, while input validation should be strengthened across all user-supplied data entry points. Network monitoring solutions should be configured to detect suspicious script execution patterns, and users should be educated about the risks of accessing untrusted content within WordPress environments. Organizations should also consider implementing content security policies and regular security assessments to prevent similar vulnerabilities from being introduced through third-party plugins and themes.