CVE-2025-13311 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Just Highlight plugin for WordPress, affecting all versions up to and including 1.0.3. The vulnerability stems from insufficient sanitization and output escaping of the 'Highlight Color' setting, which is a configurable option within the plugin. An attacker with administrator-level privileges can inject arbitrary JavaScript code into this setting. Because the malicious script is stored persistently, it executes whenever any user with access views the plugin's settings page, potentially leading to session hijacking, privilege escalation, or other malicious actions within the WordPress admin interface. The CVSS 3.1 base score is 4.4, reflecting a network attack vector (remote), high attack complexity, requiring high privileges, no user interaction, and a scope change due to the potential impact on other components. The vulnerability affects confidentiality and integrity but not availability. No public exploits are currently known, and no patches have been linked yet. The vulnerability was published on November 25, 2025, and assigned by Wordfence. This issue is categorized under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS vulnerabilities.

For European organizations, the impact of this vulnerability depends largely on the deployment of the Just Highlight plugin within their WordPress environments. If exploited, attackers with administrator access could inject malicious scripts that execute in the context of the WordPress admin dashboard, potentially leading to credential theft, unauthorized actions, or further compromise of the CMS environment. This could result in data breaches, defacement, or disruption of web services. Given the requirement for administrator privileges, the threat is somewhat limited to insider threats or compromised admin accounts. However, the scope change indicated by the CVSS score means that the vulnerability could affect multiple users and components beyond the initial injection point. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, could face compliance risks and reputational damage if exploited. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

1. Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 2. Immediately review and sanitize all inputs related to the 'Highlight Color' setting in the Just Highlight plugin configuration, applying strict validation and output escaping to prevent script injection. 3. Monitor official plugin repositories and security advisories for patches or updates addressing this vulnerability and apply them promptly once available. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the WordPress admin interface. 5. Conduct regular security audits and vulnerability scans focusing on WordPress plugins, especially those with administrative interfaces. 6. Consider temporarily disabling or removing the Just Highlight plugin if it is not essential, until a secure version is released. 7. Educate administrators about the risks of XSS and the importance of cautious input handling within plugin settings.