CVE-2025-13704 is a stored Cross-Site Scripting vulnerability identified in the Autogen Headers Menu plugin for WordPress, affecting all versions up to and including 1.0.1. The root cause is insufficient sanitization and escaping of the 'head_class' parameter within the 'autogen_menu' shortcode, allowing malicious script injection. An attacker with authenticated access at the Contributor level or above can submit crafted input that is stored and later rendered on pages viewed by other users, leading to script execution in their browsers. This can result in session hijacking, privilege escalation, or unauthorized actions performed on behalf of victims. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting network exploitability with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no effect on availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant because Contributor-level access is commonly granted in collaborative WordPress environments, increasing the attack surface. The stored nature of the XSS means the malicious payload persists and affects multiple users. The plugin's market penetration is limited to WordPress sites using this specific plugin, but WordPress itself powers a large portion of the web, making the potential impact non-trivial. Mitigation requires either updating the plugin once a patch is released or applying manual input validation and output encoding measures. Monitoring for suspicious shortcode usage and restricting Contributor permissions can reduce risk.

The vulnerability allows authenticated attackers with Contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of users viewing those pages. This can lead to theft of authentication cookies, unauthorized actions performed with victim privileges, defacement, or redirection to malicious sites. The impact affects confidentiality and integrity of the affected websites and their users. Since Contributor access is relatively common in multi-author WordPress sites, the attack surface is significant. Exploitation does not require user interaction, increasing risk. Although availability is not impacted, the breach of user trust and potential data leakage can cause reputational damage and compliance issues. Organizations relying on this plugin may face targeted attacks aiming to compromise site administrators or visitors. The lack of known exploits in the wild suggests limited current exploitation but also indicates a window of opportunity for attackers. The threat is especially relevant for websites with multiple contributors, such as blogs, news sites, and community portals.

1. Immediately restrict Contributor-level permissions to trusted users only until a patch is available. 2. Monitor and audit usage of the 'autogen_menu' shortcode, especially the 'head_class' parameter, for suspicious or unexpected input. 3. Apply manual input validation and output escaping in the plugin code if feasible, sanitizing 'head_class' to allow only safe characters or predefined values. 4. Disable or remove the Autogen Headers Menu plugin if it is not essential to reduce attack surface. 5. Keep WordPress core and all plugins updated and subscribe to security advisories from the plugin vendor and WordPress security teams. 6. Implement Content Security Policy (CSP) headers to limit the impact of injected scripts. 7. Educate site administrators and contributors about the risks of XSS and safe content submission practices. 8. Once a patch is released, apply it promptly and verify that the vulnerability is remediated through testing. 9. Use Web Application Firewalls (WAFs) with rules to detect and block malicious shortcode payloads related to this vulnerability.