CVE-2025-13367 is a stored cross-site scripting (XSS) vulnerability identified in the wpeverest User Registration & Membership plugin for WordPress, which is widely used for custom registration forms, login forms, user profiles, content restriction, and membership management. The vulnerability arises from improper neutralization of input during web page generation, specifically within multiple shortcode attributes. Due to insufficient input sanitization and output escaping, authenticated users with contributor-level privileges or higher can inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any users who visit the affected pages. The vulnerability affects all plugin versions up to and including 4.4.6. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector over the network, low complexity, privileges required at the contributor level, no user interaction needed, and a scope change indicating that the vulnerability can affect components beyond the initially vulnerable plugin. The impact includes potential theft of session cookies, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. No public exploits have been reported yet, but the vulnerability is significant due to the plugin’s popularity and the ease of exploitation by authenticated users. The lack of patches or official fixes at the time of publication increases the urgency for mitigation.

The vulnerability allows authenticated attackers with contributor-level access or higher to inject persistent malicious scripts into WordPress pages, which execute in the context of any user visiting those pages. This can lead to session hijacking, credential theft, unauthorized actions, and potential privilege escalation. Organizations using this plugin for membership or user management risk compromise of user accounts and site integrity. The attack can undermine trust in the affected websites, cause data breaches, and disrupt business operations. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts pose a significant risk. The scope change in the CVSS vector indicates that the impact may extend beyond the plugin itself, potentially affecting other site components and users. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially given the plugin’s widespread use in various sectors including education, e-commerce, and community platforms.

1. Immediately upgrade the wpeverest User Registration & Membership plugin to the latest version once a patch is released by the vendor. 2. Until a patch is available, restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious shortcode attribute inputs that may contain script tags or event handlers. 4. Conduct thorough input validation and output encoding on all user-generated content, especially shortcode attributes, to prevent injection. 5. Regularly audit user roles and permissions to ensure no unnecessary privileges are granted. 6. Monitor website pages for unexpected script injections or unusual behavior indicative of XSS exploitation. 7. Educate site administrators and contributors about the risks of XSS and safe content practices. 8. Consider deploying Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. 9. Backup website data frequently to enable recovery in case of compromise. 10. Stay informed about updates from the plugin vendor and security advisories related to this vulnerability.