CVE-2025-13367 is a stored Cross-Site Scripting (XSS) vulnerability identified in the wpeverest User Registration & Membership plugin for WordPress, affecting all versions up to and including 4.4.6. The vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient sanitization and output escaping of multiple shortcode attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code into pages via these shortcode attributes. Because the malicious script is stored, it executes every time any user accesses the compromised page, potentially allowing attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or deface the website. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and scope change. The impact primarily affects confidentiality and integrity but not availability. No public exploits are known at this time, but the vulnerability is publicly disclosed and should be considered a significant risk for affected WordPress sites. The plugin is widely used for custom registration forms, login forms, user profiles, content restriction, and membership management, making it a critical component in many WordPress deployments. The vulnerability was reserved in November 2025 and published in December 2025 by Wordfence.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of user data and website content. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, unauthorized actions, or data theft. This can undermine user trust, damage brand reputation, and lead to compliance violations under GDPR if personal data is compromised. Since the vulnerability affects membership and user management functionalities, organizations relying on this plugin for customer or employee portals are particularly at risk. The exploitation does not require user interaction but does require authenticated access, which may limit exposure but still presents a significant threat if contributor accounts are compromised or misused. The lack of availability impact means service disruption is unlikely, but the integrity and confidentiality risks remain substantial. European organizations with public-facing WordPress sites using this plugin should prioritize mitigation to prevent exploitation.

1. Monitor for and apply official patches or updates from the wpeverest plugin vendor as soon as they are released to address CVE-2025-13367. 2. Until a patch is available, restrict contributor-level user permissions to the minimum necessary and audit existing contributor accounts for suspicious activity. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious shortcode attribute payloads targeting this vulnerability. 4. Employ additional input validation and output encoding on shortcode attributes at the application or server level to reduce injection risk. 5. Conduct regular security audits and penetration testing focused on WordPress plugins and user input handling. 6. Educate site administrators and content contributors about the risks of injecting untrusted content and enforce strict content policies. 7. Consider disabling or replacing the affected plugin with alternatives that follow secure coding practices if immediate patching is not feasible. 8. Monitor logs for unusual script injection attempts or anomalous contributor activity to detect early exploitation attempts.