CVE-2025-13311 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Just Highlight plugin for WordPress, affecting all versions up to and including 1.0.3. The vulnerability stems from insufficient sanitization and escaping of user input in the 'Highlight Color' configuration setting. Because the input is stored and later rendered in the plugin's settings page without proper neutralization, an attacker with administrator-level access can inject arbitrary JavaScript code. This malicious code executes in the context of any user who views the affected settings page, potentially compromising their session, stealing credentials, or performing unauthorized actions. The vulnerability requires authenticated access with high privileges, limiting exploitation to trusted users who have administrative rights. The CVSS 3.1 base score is 4.4 (medium severity), reflecting the network attack vector, high attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability is significant because it allows persistent script injection, which can be leveraged for further attacks such as privilege escalation or lateral movement within the WordPress environment. The flaw is categorized under CWE-79, indicating improper neutralization of input during web page generation. The vulnerability was published on November 25, 2025, and assigned by Wordfence. No official patches or updates have been linked yet, so mitigation relies on configuration changes or plugin updates once available.

The primary impact of CVE-2025-13311 is the potential for persistent Cross-Site Scripting attacks within WordPress sites using the Just Highlight plugin. Successful exploitation can lead to session hijacking, theft of sensitive user information, unauthorized actions performed on behalf of users, and defacement of administrative interfaces. Since the vulnerability requires administrator-level access to exploit, it poses a risk mainly from insider threats or compromised admin accounts. However, once exploited, the injected scripts can affect any user who accesses the plugin's settings page, potentially expanding the attack surface. This can undermine the confidentiality and integrity of the affected WordPress environment and may facilitate further attacks such as malware deployment or privilege escalation. Organizations relying on this plugin risk reputational damage, data breaches, and operational disruption if the vulnerability is exploited. The medium CVSS score reflects a moderate risk, but the scope of impact can be significant in environments with multiple administrators or high-value targets. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits after disclosure.

To mitigate CVE-2025-13311, organizations should immediately restrict administrative access to trusted personnel only, minimizing the risk of insider exploitation. Administrators should avoid using the 'Highlight Color' setting until a patch or update is released. Monitoring and auditing administrative actions related to plugin settings can help detect suspicious activity. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in plugin settings pages can provide temporary protection. Site owners should subscribe to vendor and security mailing lists to receive updates on patches or new releases addressing this vulnerability. Once a fixed version of the Just Highlight plugin is available, prompt updating is critical. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs. Finally, consider limiting the number of administrators and enforcing strong authentication mechanisms to reduce the risk of credential compromise.