CVE-2025-13054 is a stored Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, found in the WordPress plugin 'User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor' developed by cozmoslabs. The vulnerability affects all plugin versions up to and including 3.14.8. It stems from inadequate input sanitization and output escaping in the handling of the wppb-embed shortcode, which processes user-supplied attributes. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored, they execute every time any user views the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is particularly concerning because contributor-level access is often granted to trusted users, making exploitation feasible in many WordPress environments. The plugin is widely used for user registration and profile management, increasing the potential attack surface. Mitigation requires careful input validation, output encoding, and restricting permissions to trusted users until a patch is available.

The impact of CVE-2025-13054 is significant for organizations using the affected WordPress plugin, as it allows authenticated users with contributor-level access or higher to inject persistent malicious scripts into web pages. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, and potential data leakage. Since the vulnerability affects user profile and registration forms, attackers could target sensitive user data or escalate privileges by exploiting trust relationships. The scope of affected systems is broad due to the popularity of WordPress and this plugin for user management. The requirement for authenticated access limits exploitation to insiders or compromised accounts but does not eliminate risk, as contributor roles are commonly assigned. The vulnerability compromises confidentiality and integrity but does not impact availability. Organizations with public-facing WordPress sites that use this plugin are at risk of reputational damage, data breaches, and user trust erosion if exploited.

Organizations should immediately audit their WordPress installations to identify the use of the affected 'User Profile Builder' plugin versions up to 3.14.8. Until an official patch is released, administrators should restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs can provide temporary protection. Additionally, site administrators should review and sanitize all user-generated content, especially content processed by the wppb-embed shortcode. Monitoring logs for unusual activity or script injections is recommended. Once a vendor patch is available, prompt updating of the plugin is critical. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security training for users with elevated permissions can reduce the risk of insider threats exploiting this vulnerability.