CVE-2025-7651

Name of the Vulnerable Software and Affected Versions: Earnware Connect versions prior to 1.0.74

Description: The Earnware Connect plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew hasrole shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page.

Recommendations: Update Earnware Connect to version 1.0.74 or later.