A high-severity vulnerability, identified as CVE-2025-10635, has been discovered in the "Find Me On" WordPress plugin. This flaw could allow an unauthenticated attacker to compromise the security of an affected website, potentially leading to unauthorized access, data theft, or full site takeover. Organizations using this plugin are strongly advised to take immediate action to mitigate this significant risk.

The vulnerability is an unauthenticated stored Cross-Site Scripting (XSS) flaw within the "Find Me On" plugin. An attacker can inject a malicious script into a component of the plugin that is rendered on the website. When a privileged user, such as an administrator, views the compromised page, the malicious script executes within their browser, allowing the attacker to hijack their session, steal credentials, perform administrative actions on their behalf, or redirect users to malicious sites.

This vulnerability is rated as High severity with a CVSS score of 7.7. Successful exploitation could have a significant negative impact on the business. Potential consequences include the compromise of sensitive company or customer data, website defacement, and the distribution of malware to site visitors, leading to severe reputational damage and loss of customer trust. The organization could also face regulatory fines and significant costs associated with incident response and system recovery.

Immediate Action:

• Immediately update the "Find Me On" WordPress plugin to the latest patched version provided by the developer.
• If the plugin is not essential for business operations, the most secure course of action is to deactivate and completely remove it from the WordPress installation.
• Review all WordPress administrator accounts for any signs of compromise or unauthorized creation.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests to the plugin's endpoints that may contain script tags or other HTML/JavaScript payloads.
• Implement file integrity monitoring to detect unauthorized changes to plugin files or core WordPress files.
• Review the website's output for any injected, unexpected scripts or content.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block XSS attacks.
• Enforce a strong Content Security Policy (CSP) header on the website to restrict the execution of untrusted scripts, which can limit the impact of an XSS attack.
• Restrict administrative access to the WordPress dashboard to trusted IP addresses only.

Public Exploit Available: false

Given the high-severity CVSS score of 7.7, we strongly recommend that all organizations using the affected "Find Me On" plugin prioritize remediation immediately. The risk of website compromise and data theft is significant. The recommended course of action is to apply the security update without delay. If the plugin is not critical, it should be removed entirely to eliminate the attack surface. Although this vulnerability is not currently on the CISA KEV list, its status could change if widespread exploitation is observed.