CVE-2025-6257: 
WordPress vulnerability analysis and mitigation

The Euro FxRef Currency Converter plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6257) in versions up to and including 2.0.2. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's currency shortcode. This security issue was discovered by researcher Gilang and reported through Wordfence (NVD).

The vulnerability stems from improper sanitization of user input in the currency shortcode attributes. The issue affects several text attributes including 'from', 'to', 'between', 'append', and 'round_append'. When these attributes are processed, they lack proper HTML escaping, allowing authenticated users with contributor-level access or higher to inject malicious scripts. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been patched in version 2.0.3 of the Euro FxRef Currency Converter plugin. The fix includes proper HTML escaping of user-supplied attributes and making all texts translatable. Users are advised to update to version 2.0.3 immediately (WordPress Plugin, GitHub Commit).