CVE-2025-13667 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Recipe Manager plugin for WordPress, developed by tomiup. This vulnerability affects all versions up to and including 1.0.0. The root cause is improper neutralization of user-supplied input in the 'Skill Level' field, where insufficient input sanitization and output escaping allow malicious scripts to be stored in the database. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into recipe pages. When other users, including administrators or site visitors, access the compromised pages, the injected scripts execute in their browsers. This can lead to session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level, with attack vector being network-based and requiring low attack complexity but authenticated privileges. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No user interaction is required beyond viewing the affected page. There are no known public exploits or patches available at the time of publication, increasing the urgency for site administrators to implement mitigations. The vulnerability is cataloged under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS vulnerabilities.

The impact of CVE-2025-13667 on organizations worldwide can be significant, particularly for those relying on WordPress sites with the WP Recipe Manager plugin installed. Successful exploitation allows attackers with relatively low privileges (Contributor-level) to inject persistent malicious scripts that execute in the context of other users’ browsers. This can compromise user sessions, steal authentication tokens, manipulate site content, or redirect users to malicious sites. For organizations, this can lead to data breaches, loss of user trust, reputational damage, and potential regulatory penalties if sensitive data is exposed. Since the vulnerability requires authentication, it limits exposure to some extent; however, many WordPress sites allow user registrations or have multiple contributors, increasing the attack surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly once the vulnerability is public. The medium CVSS score reflects moderate impact on confidentiality and integrity but no direct impact on availability. The scope change indicates that the vulnerability can affect users beyond the attacker’s privileges, amplifying the risk.

To mitigate CVE-2025-13667, organizations should take several specific actions beyond generic advice: 1) Immediately restrict Contributor-level and higher user privileges to trusted individuals only, minimizing the risk of malicious input. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious script tags or JavaScript payloads in the 'Skill Level' field or other input areas related to the plugin. 3) Monitor logs and user activity for unusual behavior indicative of XSS exploitation attempts, such as unexpected script injections or anomalous page content changes. 4) If possible, apply manual input validation and output escaping in the plugin’s codebase as a temporary patch until an official update is released. 5) Educate site administrators and contributors about the risks of injecting untrusted content and the importance of input sanitization. 6) Regularly check for updates from the plugin vendor and apply patches promptly once available. 7) Consider disabling or replacing the WP Recipe Manager plugin if immediate patching is not feasible, especially on high-value or public-facing sites. 8) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts, reducing the impact of potential XSS payloads.