CVE-2025-13418 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Responsive Pricing Table plugin for WordPress developed by spwebguy. This vulnerability affects all versions up to and including 5.1.12. The root cause is insufficient sanitization and escaping of the 'plan_icons' parameter during web page generation. Authenticated users with Author-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize the vulnerable parameter. When other users visit these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the infected page and can be exploited remotely over the network. The CVSS v3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, and privileges required at the Author level. The scope is changed (S:C), meaning the vulnerability affects resources beyond the attacker’s privileges. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was reserved in November 2025 and published in January 2026 by Wordfence. Given the widespread use of WordPress and the popularity of pricing table plugins, this vulnerability presents a notable risk to websites that rely on this plugin for pricing display functionality.

The impact of CVE-2025-13418 is primarily on the confidentiality and integrity of affected websites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement of web content. Since the vulnerability requires Author-level access, it is particularly dangerous in environments with multiple contributors or where account compromise is possible. The scope change means attackers can affect users beyond their own privileges, increasing the risk of widespread impact. While availability is not directly affected, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations running the vulnerable plugin risk exposure to targeted attacks, especially if attackers gain Author-level credentials through phishing or other means. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate CVE-2025-13418, organizations should take the following specific actions: 1) Immediately update the Responsive Pricing Table plugin to a patched version once available; monitor vendor announcements for official fixes. 2) In the absence of a patch, restrict Author-level privileges to trusted users only and review user roles to minimize unnecessary elevated access. 3) Implement web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'plan_icons' parameter. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5) Conduct regular security audits and code reviews of plugins and custom code to identify and remediate input validation issues. 6) Educate content authors about the risks of injecting untrusted content and enforce strict input sanitization on user-generated content. 7) Monitor logs and user activity for signs of exploitation attempts or unusual behavior. 8) Consider temporarily disabling or replacing the plugin if immediate patching is not feasible. These steps go beyond generic advice by focusing on access control, proactive detection, and layered defenses tailored to the nature of this stored XSS vulnerability.