CVE-2025-9852: 
WordPress vulnerability analysis and mitigation

The Yoga Schedule Momoyoga plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-9852) affecting versions up to and including 2.9.0. The vulnerability exists in the plugin's 'momoyoga-schedule' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes (Tenable CVE).

The vulnerability is classified as medium severity and affects the momoyoga-schedule shortcode implementation. The security flaw stems from inadequate input sanitization and output escaping mechanisms for user-supplied attributes, which allows for the injection of malicious web scripts. The vulnerability requires authenticated access with contributor-level privileges or higher to exploit (Tenable CVE).

When successfully exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (Tenable CVE).

Users should update the Yoga Schedule Momoyoga plugin to a version newer than 2.9.0 when available. Until then, it is recommended to restrict access to contributor-level permissions and carefully monitor content created by users with such access (Tenable CVE).