CVE-2025-13693 is a stored Cross-Site Scripting (XSS) vulnerability identified in the 'Image Photo Gallery Final Tiles Grid' WordPress plugin developed by wpchill. This vulnerability exists in all versions up to and including 3.6.8. The root cause is insufficient sanitization and escaping of user input in the 'Custom scripts' setting, which allows authenticated users with Author-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious scripts are stored persistently, they execute every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability requires authenticated access but no user interaction beyond visiting the infected page. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required at the Author level. The scope is changed, indicating that the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. No patches or official fixes have been released at the time of publication, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS attacks.

For European organizations, this vulnerability poses a significant risk to WordPress-based websites that use the affected plugin, particularly those with multiple content authors or contributors. Exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware through injected scripts. This can damage brand reputation, lead to data breaches involving user credentials or personal data, and potentially cause regulatory non-compliance under GDPR if personal data is compromised. The requirement for Author-level access limits the attack surface to insiders or compromised accounts, but many organizations grant such privileges to trusted users, increasing risk. The persistent nature of the stored XSS means that even users with lower privileges or visitors can be affected once the malicious script is injected. Given the widespread use of WordPress across Europe, especially in sectors like media, e-commerce, and education, the impact could be broad if not mitigated promptly.

1. Immediately audit user roles and restrict Author-level privileges to trusted personnel only, minimizing the number of users who can inject scripts. 2. Disable or restrict the 'Custom scripts' setting in the plugin until an official patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections related to this plugin. 4. Monitor WordPress plugin updates closely and apply patches as soon as they become available. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 6. Conduct regular security reviews and penetration testing focusing on user input sanitization in WordPress plugins. 7. Educate content authors about the risks of injecting scripts and enforce strict content policies. 8. Consider replacing the vulnerable plugin with alternative gallery plugins that follow secure coding practices if a patch is delayed.