CVE-2025-13730 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the OpenID Connect Generic Client plugin for WordPress, developed by daggerhart. The vulnerability exists in all versions up to and including 3.10.0 due to insufficient sanitization and escaping of user input in the 'openid_connect_generic_auth_url' shortcode. Authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages using this shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users to malicious sites, or performing actions on behalf of the victim. The vulnerability is remotely exploitable over the network without user interaction, but requires authentication with at least Contributor privileges, which limits the attack surface to insiders or compromised accounts. The CVSS v3.1 base score is 6.4, reflecting medium severity with low attack complexity and partial impact on confidentiality and integrity but no impact on availability. No patches or known exploits are currently reported, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors. The scope is limited to sites running the affected plugin versions and having Contributor or higher roles enabled. The vulnerability highlights the importance of proper input validation and output encoding in web applications to prevent stored XSS attacks.

The primary impact of CVE-2025-13730 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, including administrators and other users. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware. While availability is not directly impacted, the reputational damage and potential data breaches can have significant consequences for organizations. Since the vulnerability requires authenticated access, the risk is higher in environments with multiple contributors or where account compromise is possible. Organizations relying on the OpenID Connect Generic Client plugin for authentication may face increased risk of unauthorized access or privilege escalation if attackers leverage this XSS vector. The vulnerability could also be used as a foothold for further attacks within the network or to pivot to other systems. Overall, the threat affects the integrity and confidentiality of web applications and user data, potentially leading to regulatory and compliance issues.

To mitigate CVE-2025-13730, organizations should immediately update the OpenID Connect Generic Client plugin to a version that addresses the vulnerability once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only and review user roles to minimize the number of users with such privileges. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'openid_connect_generic_auth_url' shortcode can provide temporary protection. Additionally, site administrators should audit existing content for injected scripts and remove any suspicious code. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Regularly monitoring logs for unusual activity and conducting user access reviews will help detect and prevent exploitation attempts. Finally, educating contributors about safe content practices and the risks of injecting untrusted input can reduce accidental exploitation.