CVE-2025-13693 is a stored cross-site scripting vulnerability classified under CWE-79 found in the 'Image Photo Gallery Final Tiles Grid' WordPress plugin developed by wpchill. The vulnerability exists due to insufficient sanitization and escaping of user input within the 'Custom scripts' setting, which is accessible to authenticated users with Author-level access or higher. This flaw allows these users to inject arbitrary JavaScript code that is stored persistently and executed in the browsers of any users who visit the affected pages. Because the vulnerability requires authenticated access with Author privileges, it is not exploitable by unauthenticated attackers but poses a significant risk if an attacker gains such access, either through credential compromise or insider threat. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector (remote exploitation), low attack complexity, and no user interaction required for the payload to execute once injected. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting all users visiting the site. The impact includes limited confidentiality and integrity loss, such as theft of session cookies, defacement, or execution of unauthorized actions on behalf of users. No patches have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability affects all versions up to and including 3.6.8 of the plugin, which is widely used in WordPress environments for image gallery management.

The impact of CVE-2025-13693 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with Author-level access to inject malicious scripts that execute in the context of other users visiting the site, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or site defacement. This can undermine user trust and damage organizational reputation. Since the vulnerability requires authenticated access, the risk is elevated in environments with weak access controls or compromised credentials. The scope of impact extends to all users who visit the infected pages, including administrators and site visitors, increasing the potential damage. For organizations relying on this plugin for image gallery functionality, exploitation could disrupt normal operations and expose sensitive user data. Although no known exploits are currently reported, the medium CVSS score and the nature of stored XSS vulnerabilities suggest a credible threat if attackers gain sufficient privileges.

To mitigate CVE-2025-13693, organizations should implement the following specific measures: 1) Immediately restrict Author-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2) Monitor and audit user activity, especially changes to the 'Custom scripts' setting, to detect unauthorized modifications. 3) Apply strict input validation and output encoding on all user-supplied data within the plugin’s settings, ideally by updating the plugin once a patch is released. 4) If an official patch is not yet available, consider temporarily disabling the 'Custom scripts' feature or the entire plugin to prevent exploitation. 5) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 6) Regularly scan the website for injected scripts or anomalous content using security tools specialized in detecting XSS payloads. 7) Educate site administrators and content creators on the risks of granting excessive privileges and the importance of secure configuration. These steps go beyond generic advice by focusing on privilege management, monitoring, and interim protective controls until a patch is deployed.