CVE-2025-13537 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the Live Composer – Free WordPress Website Builder plugin for WordPress. This vulnerability affects all versions up to and including 2.0.2. The root cause is insufficient sanitization and escaping of user-supplied input attributes during DOM manipulation, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires no user interaction beyond viewing the page but does require authenticated access at a Contributor level or above, which is a moderate barrier to exploitation. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact, but no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors or editors. The lack of patches at the time of publication necessitates immediate mitigation steps to reduce risk.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially resulting in session hijacking, data theft, defacement, or unauthorized actions performed by attackers impersonating legitimate users. Organizations relying on the Live Composer plugin for website building and content management are particularly vulnerable if they allow Contributor-level access to multiple users. The impact on confidentiality and integrity can affect customer trust, regulatory compliance (e.g., GDPR), and brand reputation. Although availability is not directly impacted, the indirect consequences of compromised sites can include downtime or costly remediation efforts. The risk is heightened in sectors with sensitive data or critical online services, such as e-commerce, government portals, and financial institutions. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability details are widely known.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the number of users who can inject content. 2. Monitor and audit user-generated content for suspicious scripts or unexpected HTML tags. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the Live Composer plugin. 4. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5. Until an official patch is released, consider disabling or replacing the Live Composer plugin with alternative, secure page builders. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Regularly update WordPress core and plugins to their latest versions once patches become available. 8. Conduct penetration testing focused on stored XSS vectors in user-editable content areas to identify residual risks.