CVE-2025-13497 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Recras WordPress plugin, which is used for booking and reservation management. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the 'recrasname' shortcode attribute. All versions of the plugin up to and including 6.4.1 are affected. The root cause is insufficient input sanitization and lack of proper output escaping, which allows an authenticated attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the user. The vulnerability does not require user interaction beyond visiting the page, and the attacker only needs low privileges (Contributor or above), which are commonly granted in collaborative WordPress environments. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. No known exploits have been reported in the wild yet. The vulnerability was published in early 2026, and no official patches or updates have been linked at this time. The CWE classification is CWE-79, which is a common web application security issue. This vulnerability highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those that accept user-generated content or shortcode attributes.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on WordPress sites with the Recras plugin for booking or reservation services. Successful exploitation can lead to session hijacking, unauthorized actions performed in the context of legitimate users, defacement, or redirection to malicious sites, undermining user trust and potentially causing reputational damage. Confidentiality and integrity of user data can be compromised, although availability is not directly impacted. Since Contributor-level access is sufficient for exploitation, insider threats or compromised contributor accounts increase risk. SMEs and service providers using Recras for client-facing portals are particularly vulnerable. The vulnerability could also be leveraged as a foothold for further attacks within corporate networks if administrative users are targeted. Given the widespread use of WordPress across Europe, the threat surface is broad, but the actual impact depends on the presence of this specific plugin and the privilege model in use.

1. Immediately restrict Contributor-level privileges to trusted users and review current user roles to minimize risk exposure. 2. Monitor and audit pages using the 'recrasname' shortcode for suspicious or unexpected script content. 3. Until an official patch is released, implement manual input validation and output encoding for the 'recrasname' attribute via custom code or security plugins that sanitize shortcode inputs. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block typical XSS payloads targeting this plugin. 5. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 6. Regularly update WordPress core and all plugins to their latest versions once patches addressing this vulnerability become available. 7. Conduct penetration testing focused on stored XSS vectors in the Recras plugin environment. 8. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS exploitation by restricting script execution sources.