CVE-2025-7651: 
WordPress vulnerability analysis and mitigation

The Earnware Connect WordPress plugin (versions up to 1.0.73) was identified with CVE-2025-7651, a Stored Cross-Site Scripting vulnerability discovered in August 2025. The vulnerability affects the plugin's 'ew_hasrole' shortcode functionality and impacts WordPress installations using the affected versions (NVD). The plugin has been temporarily closed for download since August 14, 2025, pending a full security review (WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the 'ew_hasrole' shortcode. The severity is rated as MEDIUM with a CVSS 3.1 Base Score of 6.4 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation (NVD).

As of August 14, 2025, the plugin has been temporarily closed and is not available for download pending a security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).