The wpeverest User Registration & Membership plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2025-13367. This vulnerability affects all versions up to and including 4.4.6. It allows authenticated users with contributor-level permissions or higher to inject arbitrary web scripts through multiple shortcode attributes due to inadequate input sanitization and output escaping. When other users access pages containing the injected scripts, these scripts execute in their browsers, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, and no user interaction required. No patch or official fix information is currently available, and no exploits are known to be active in the wild.

An attacker with contributor-level or higher access can inject persistent malicious scripts into pages via shortcode attributes. These scripts execute in the context of users visiting the infected pages, potentially leading to theft of user credentials, session tokens, or other sensitive information. The impact is limited to confidentiality and integrity loss with no reported availability impact. The vulnerability requires authenticated access, reducing the attack surface compared to unauthenticated XSS. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only. Review and sanitize all shortcode inputs manually if possible. Monitor plugin updates from wpeverest and apply official patches promptly once available. Consider implementing web application firewall (WAF) rules to detect and block suspicious shortcode attribute payloads.