CVE-2025-13531 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Stylish Order Form Builder plugin for WordPress developed by hayyatapps. This vulnerability affects all versions up to and including 1.0. The root cause is insufficient sanitization and escaping of the 'product_name' parameter during web page generation, allowing an authenticated attacker with at least Subscriber-level privileges to inject arbitrary JavaScript code. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially affecting administrators, editors, or other site visitors. The vulnerability requires no user interaction beyond page access and can be exploited remotely over the network. The CVSS v3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, enabling attacks such as session hijacking, privilege escalation, or defacement. No patches or official fixes are currently available, and no known exploits have been observed in the wild. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling user-supplied data in dynamic content.

This vulnerability poses a significant risk to organizations running WordPress sites with the Stylish Order Form Builder plugin installed. Attackers with low-level authenticated access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, unauthorized actions, data theft, or site defacement. The impact extends to the confidentiality and integrity of user data and site content. While availability is not directly affected, the trustworthiness and reputation of affected websites can suffer. Since the vulnerability requires only Subscriber-level access, attackers can exploit compromised or weak user accounts, increasing the attack surface. The lack of patches means organizations remain exposed until mitigations or updates are applied, increasing risk especially for high-traffic or sensitive sites. The vulnerability can also be leveraged as a foothold for further attacks within the network.

Organizations should immediately audit their WordPress installations to identify the presence of the Stylish Order Form Builder plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate exposure. Restricting user roles and permissions to minimize the number of users with Subscriber or higher access can reduce the risk of exploitation. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns targeting the 'product_name' parameter can provide temporary protection. Site owners should also enable Content Security Policy (CSP) headers to limit the impact of injected scripts. Regularly monitoring logs for unusual activity related to form submissions or page views can help detect exploitation attempts. Once a patch becomes available, prompt application is critical. Additionally, educating users about phishing and credential hygiene can prevent attackers from gaining the required authenticated access.