CVE-2025-13418 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Responsive Pricing Table plugin for WordPress, developed by spwebguy. The vulnerability arises from improper neutralization of input during web page generation, specifically within the 'plan_icons' parameter. Versions up to and including 5.1.12 are affected. The root cause is insufficient input sanitization and lack of proper output escaping, allowing authenticated users with Author-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges of an authenticated user, but no user interaction is needed for exploitation. The scope is changed, as the vulnerability can affect other users beyond the attacker. No public exploits have been reported yet, and no official patches are currently available. The vulnerability was reserved in November 2025 and published in January 2026 by Wordfence. The plugin is commonly used in WordPress sites to display pricing tables responsively, making it a popular component in e-commerce and service websites.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications using the Responsive Pricing Table plugin. Attackers with Author-level access can inject malicious scripts that execute in the browsers of site visitors or other users, potentially stealing session cookies, redirecting users to phishing sites, or performing unauthorized actions on behalf of victims. This can lead to data breaches, reputational damage, and loss of customer trust. Since WordPress powers a large portion of websites in Europe, including many small and medium enterprises, the attack surface is considerable. The vulnerability could be exploited to target internal users or customers, especially in sectors like e-commerce, finance, and digital services where pricing tables are commonly used. The lack of a patch increases the window of exposure, and organizations relying on multi-author workflows are particularly vulnerable. Additionally, the cross-site scripting can facilitate further attacks such as malware distribution or lateral movement within compromised networks.

European organizations should immediately audit their WordPress installations to identify the use of the Responsive Pricing Table plugin and verify the version in use. Until an official patch is released, organizations should restrict Author-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. Implementing Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'plan_icons' parameter can provide temporary protection. Administrators can also apply custom input validation and output encoding in the plugin code or via hooks/filters if feasible. Regularly monitoring logs for unusual activity related to pricing table pages is advised. Organizations should plan to update the plugin promptly once a patch becomes available. Additionally, educating content authors about the risks of injecting untrusted content and enforcing strict content policies can reduce exploitation chances. Employing Content Security Policy (CSP) headers to restrict script execution sources can mitigate the impact of successful XSS attacks.