CVE-2025-13531 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Stylish Order Form Builder plugin for WordPress, developed by hayyatapps. The vulnerability exists in all versions up to and including 1.0 due to improper neutralization of input during web page generation, specifically in the 'product_name' parameter. Authenticated attackers with Subscriber-level access or higher can inject arbitrary JavaScript code into the plugin's pages. Because the malicious script is stored, it executes whenever any user accesses the compromised page, potentially affecting administrators and other users. The root cause is insufficient input sanitization and lack of output escaping, allowing script tags or event handlers to be embedded in product names. The CVSS 3.1 score of 6.4 reflects that the attack vector is network-based, requires low attack complexity, and only low privileges, but no user interaction is needed. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser. Availability is not directly affected. No patches or official fixes have been published yet, and no known exploits have been reported in the wild. However, the vulnerability poses a significant risk for WordPress sites using this plugin, especially those that allow Subscriber-level users to add or edit product names. Attackers could leverage this to compromise site users or administrators, leading to broader site compromise or data leakage.

For European organizations, this vulnerability could lead to unauthorized access to sensitive information, session hijacking, and potential defacement or manipulation of e-commerce order forms. Organizations relying on the Stylish Order Form Builder plugin for customer-facing order forms risk exposing their users to malicious scripts that can steal cookies, redirect users to phishing sites, or perform actions on behalf of users without consent. This can damage brand reputation, lead to regulatory non-compliance under GDPR due to data breaches, and cause financial losses. The impact is particularly critical for organizations handling personal or payment data through WordPress sites. Since the vulnerability requires only Subscriber-level access, attackers may exploit compromised or weak user accounts to inject malicious payloads. The lack of patches increases the window of exposure. Additionally, the stored nature of the XSS means that multiple users can be affected over time, increasing the attack surface. European organizations with e-commerce or customer portals using this plugin are at heightened risk.

1. Immediately restrict Subscriber-level users from adding or editing product names until a patch is available. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious script tags or JavaScript event handlers in input fields related to product names. 3. Apply custom input validation and output encoding on the 'product_name' parameter via WordPress hooks or filters to sanitize inputs and escape outputs. 4. Monitor logs and user activity for unusual changes to product names or injection attempts. 5. Disable or remove the Stylish Order Form Builder plugin if it is not essential or if no timely patch is available. 6. Educate site administrators and users about the risks of XSS and encourage strong password policies to prevent account compromise. 7. Stay updated with vendor announcements for patches and apply them promptly once released. 8. Conduct regular security audits and penetration testing focusing on user input handling in WordPress plugins.