CVE-2025-13367 is a stored cross-site scripting (XSS) vulnerability identified in the wpeverest User Registration & Membership plugin for WordPress, affecting all versions up to and including 4.4.6. The vulnerability arises from improper neutralization of input during web page generation, specifically through multiple shortcode attributes that lack sufficient input sanitization and output escaping. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored, it executes whenever any user visits the infected page, enabling potential attacks such as session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of users. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (authenticated contributor or above), no user interaction, and scope change (impacting other components). Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the common use of WordPress and this plugin for managing user registrations and memberships. The plugin’s widespread deployment in various organizational websites increases the attack surface. The vulnerability is categorized under CWE-79, indicating improper neutralization of input leading to cross-site scripting. The lack of patches at the time of reporting necessitates immediate attention to mitigate risks.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted websites, potentially compromising user accounts, leaking sensitive data, or enabling further attacks such as privilege escalation or defacement. Organizations relying on the affected plugin for user registration and membership management are particularly vulnerable, as attackers with contributor-level access can embed malicious scripts that affect all visitors or logged-in users. This can damage organizational reputation, violate data protection regulations such as GDPR due to potential data breaches, and disrupt business operations. The medium severity score reflects moderate impact, but the scope change and ease of exploitation by authenticated users increase the risk in environments with multiple contributors. The vulnerability could be leveraged in targeted attacks against European entities with public-facing WordPress sites, especially those with active user communities or membership portals.

1. Immediately monitor and restrict contributor-level user privileges to trusted personnel only, minimizing the risk of malicious script injection. 2. Apply strict input validation and output encoding on all shortcode attributes used in the plugin, either via custom code or security plugins that enforce sanitization. 3. Regularly audit user-generated content and shortcode usage to detect and remove any injected scripts. 4. Keep WordPress core and all plugins updated; prioritize applying the official patch from wpeverest once released. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting shortcode attributes. 6. Educate content contributors about security best practices and the risks of injecting untrusted content. 7. Consider temporarily disabling or replacing the plugin with a more secure alternative if immediate patching is not possible. 8. Implement Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact if exploitation occurs.