CVE-2025-13537 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Live Composer – Free WordPress Website Builder plugin, affecting all versions up to and including 2.0.2. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and output escaping of user-supplied attributes manipulated via the Document Object Model (DOM). This flaw allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages created or edited with the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially enabling session hijacking, theft of cookies, defacement, or further exploitation such as privilege escalation or lateral movement within the WordPress environment. The vulnerability has a CVSS v3.1 base score of 6.4, indicating medium severity, with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change (impacting other components). No public exploits are known at this time, but the vulnerability’s presence in a widely used WordPress plugin increases the risk of future exploitation. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps. The vulnerability affects all versions of the plugin, which is popular among small to medium-sized businesses and content creators for building WordPress websites without coding. The exploitation scenario involves an attacker leveraging their authenticated access to inject malicious scripts that persist in the site content, affecting all visitors and administrators who view the infected pages.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of their WordPress-based websites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, unauthorized actions, or data theft. This can damage organizational reputation, lead to data breaches involving personal or sensitive information, and disrupt website availability indirectly through defacement or administrative lockout. Given the widespread use of WordPress and the Live Composer plugin among SMEs and digital agencies in Europe, the threat surface is considerable. The vulnerability’s exploitation could also facilitate further attacks within the corporate network if administrative credentials are compromised. Compliance with GDPR and other data protection regulations may be jeopardized if personal data is exposed due to this vulnerability. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly once vulnerabilities are publicized.

1. Monitor for and apply official patches or updates from the Live Composer plugin developers as soon as they become available. 2. Until patches are released, restrict Contributor-level and higher access to trusted users only, minimizing the risk of malicious content injection. 3. Implement a Web Application Firewall (WAF) with robust XSS detection and filtering capabilities to block suspicious script injections and payloads targeting this vulnerability. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected websites. 5. Conduct regular security audits and code reviews of user-generated content to detect and remove injected scripts. 6. Educate content contributors about secure content practices and the risks of injecting untrusted code. 7. Consider disabling or replacing the Live Composer plugin with alternative, actively maintained page builders that follow secure coding practices. 8. Use security plugins that sanitize and validate user inputs and outputs within WordPress environments. 9. Monitor logs and user activity for signs of exploitation attempts or unusual behavior related to page content modifications.