CVE-2025-13697 identifies a stored cross-site scripting vulnerability in the BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks, WordPress Block Plugin, Sections & Template Library plugin. This vulnerability exists in all versions up to and including 2.2.13 due to insufficient sanitization and escaping of the 'timestamp' attribute input. Authenticated attackers with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages by manipulating this attribute. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges, no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits are currently known, but the vulnerability's presence in a popular WordPress plugin makes it a significant risk. The scope is limited to sites using this plugin, but given WordPress's widespread use, the potential attack surface is large. The vulnerability's exploitation does not require user interaction but does require authenticated access at Contributor level or above, which is a moderate barrier but still feasible in many environments. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that extend CMS functionality.

For European organizations, this vulnerability could lead to unauthorized script execution within the context of affected WordPress sites, risking session hijacking, data leakage, or unauthorized actions performed on behalf of legitimate users. This can compromise the confidentiality and integrity of website content and user data. Organizations relying on WordPress for public-facing websites or intranet portals that utilize the BlockArt Blocks plugin are at risk of reputational damage, regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and potential financial loss due to exploitation. The requirement for Contributor-level access reduces the risk from external unauthenticated attackers but does not eliminate insider threats or risks from compromised accounts. The vulnerability could also be leveraged as a foothold for further attacks within an organization's network. Given the widespread use of WordPress in Europe, especially in SMEs and public sector websites, the impact could be significant if not addressed promptly.

European organizations should immediately audit their WordPress installations to identify the presence of the BlockArt Blocks plugin and verify its version. Since no patch links are currently available, organizations should consider the following mitigations: restrict Contributor-level and higher privileges to trusted users only, implement strict role-based access controls, and monitor user activity for suspicious behavior. Employ web application firewalls (WAFs) with rules to detect and block malicious script injections targeting the 'timestamp' attribute. Enable Content Security Policy (CSP) headers to limit script execution sources. Regularly back up website data and maintain an incident response plan for potential exploitation. Additionally, organizations should subscribe to vendor updates and apply patches as soon as they are released. Developers and administrators should review and improve input validation and output encoding practices in custom or third-party plugins. Conduct security awareness training for users with elevated privileges to reduce the risk of credential compromise.