CVE-2025-13537 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the Live Composer – Free WordPress Website Builder plugin for WordPress. This vulnerability affects all versions up to and including 2.0.2. The root cause is insufficient input sanitization and output escaping on user-supplied attributes during DOM manipulation, allowing malicious script injection. An attacker with authenticated Contributor-level access or higher can exploit this by injecting arbitrary JavaScript code into pages created or edited with the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or phishing. The vulnerability does not require user interaction beyond page access and does not affect availability. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required but no user interaction. No public exploits are known at this time, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The vulnerability's scope is limited to sites using this plugin and having users with Contributor or higher privileges, which is common in multi-author WordPress environments.

The primary impact of CVE-2025-13537 is on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, defacement, or distribution of malware. Since the vulnerability requires authenticated access at Contributor level or above, attackers must first compromise or have legitimate access to an account with these privileges, limiting the attack surface but not eliminating risk. Organizations with multiple content contributors or editors are particularly vulnerable. The vulnerability does not impact availability directly but can facilitate further attacks that degrade service or trust. Given WordPress's global popularity and the plugin's user base, many websites—especially content-heavy or multi-author sites—are at risk. Exploitation could damage organizational reputation, lead to data breaches, and require costly incident response and remediation.

To mitigate CVE-2025-13537, organizations should immediately update the Live Composer plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level and higher privileges to trusted users only and audit existing users for unnecessary permissions. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injection patterns can reduce risk. Site administrators should enable Content Security Policy (CSP) headers to limit script execution sources. Regularly scanning the website for injected scripts or anomalies in page content can help detect exploitation attempts early. Additionally, hardening WordPress installations by disabling unnecessary plugins, enforcing strong authentication mechanisms, and monitoring user activities will reduce the likelihood of successful exploitation. Educating contributors about safe content practices and potential risks is also advisable. Finally, maintaining regular backups ensures recovery capability if compromise occurs.