CVE-2025-13608 is a stored Cross-Site Scripting (XSS) vulnerability identified in the CC Child Pages plugin for WordPress, affecting all versions up to and including 2.0.0. The root cause is insufficient input sanitization and output escaping of four user-supplied shortcode attributes—use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt—within the 'show_child_pages' function. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network (remote), low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change (meaning the vulnerability can affect resources beyond the vulnerable component). No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a credible threat. The plugin is widely used in WordPress environments to manage and display child pages, making this vulnerability relevant to many websites that rely on this functionality. The lack of a patch at the time of disclosure increases the urgency for mitigation through access control and monitoring.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications running WordPress with the CC Child Pages plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, unauthorized actions, and defacement. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Since WordPress is widely used across Europe for corporate websites, e-commerce platforms, and intranets, the attack surface is considerable. The vulnerability does not directly affect availability but can indirectly cause service disruptions through exploitation or remediation efforts. Organizations with multiple contributors or editors on their WordPress sites are particularly vulnerable. The medium severity score reflects the balance between the required privileges and the potential impact, but the scope change indicates that the vulnerability can affect components beyond the plugin itself, increasing risk. Additionally, compliance with GDPR and other data protection regulations may be impacted if personal data is compromised through exploitation.

1. Monitor for and apply any official patches or updates released by caterhamcomputing for the CC Child Pages plugin immediately upon availability. 2. Until a patch is available, restrict contributor-level access to trusted users only and review user roles to minimize the number of users who can exploit this vulnerability. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads, especially targeting the shortcode attributes involved. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected web pages. 5. Conduct regular security audits and code reviews of WordPress plugins and custom code to identify similar input validation issues. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission policies. 7. Monitor logs for unusual activity related to shortcode usage or page content changes that could indicate exploitation attempts. 8. Consider temporarily disabling or replacing the CC Child Pages plugin if mitigation is not feasible until a patch is released.