CVE-2025-13608 is a stored Cross-Site Scripting (XSS) vulnerability identified in the CC Child Pages plugin for WordPress, affecting all versions up to and including 2.0.0. The vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient sanitization and output escaping of four user-supplied shortcode attributes: use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt within the 'show_child_pages' function. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the 'child_pages' shortcode. When other users access the compromised pages, the malicious scripts execute in their browsers, potentially allowing session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and scope change due to impact on other components. No public exploits are currently known, but the risk remains significant given the widespread use of WordPress and the plugin. The vulnerability was published on December 15, 2025, and assigned by Wordfence. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for interim mitigations.

The impact of CVE-2025-13608 is primarily on the confidentiality and integrity of WordPress sites using the CC Child Pages plugin. Successful exploitation allows authenticated contributors or higher to inject persistent malicious scripts that execute in the context of any user viewing the affected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential compromise of administrative accounts if administrators visit the infected pages. Although availability is not directly affected, the reputational damage and potential data breaches can be severe. Organizations relying on this plugin risk unauthorized access and data leakage, especially if contributor accounts are compromised or improperly assigned. The medium CVSS score reflects the requirement for authenticated access, but the low complexity and network attack vector make exploitation feasible in many environments. The scope change indicates that the vulnerability can affect components beyond the immediate plugin, potentially impacting the entire WordPress site and its users.

1. Immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit pages created or edited by contributors for suspicious or unexpected script content, especially those using the 'child_pages' shortcode. 3. Apply strict input validation and output escaping in any custom code interacting with the CC Child Pages plugin attributes to prevent script injection. 4. Disable or remove the CC Child Pages plugin if it is not essential to reduce the attack surface until a patch is released. 5. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the affected shortcode attributes. 6. Educate site administrators and contributors about the risks of XSS and safe content creation practices. 7. Regularly check for updates from the vendor and apply patches promptly once available. 8. Consider using security plugins that can detect and sanitize malicious content in WordPress posts and pages. These steps go beyond generic advice by focusing on access control, content monitoring, and proactive filtering specific to the vulnerability's attack vector.