CVE-2025-13730 is a stored Cross-Site Scripting (XSS) vulnerability identified in the OpenID Connect Generic Client plugin for WordPress, maintained by daggerhart. The vulnerability exists in all versions up to and including 3.10.0 and is triggered via the 'openid_connect_generic_auth_url' shortcode. The root cause is insufficient sanitization of user input and lack of proper output escaping when generating web pages. This allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The CVSS 3.1 score is 6.4, indicating medium severity, with an attack vector over the network, low complexity, requiring privileges but no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors. The vulnerability's scope is limited to sites that use the vulnerable shortcode and have users with sufficient privileges to inject malicious content. The stored nature of the XSS increases its impact compared to reflected XSS, as the malicious payload persists and affects multiple users. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The lack of patches at the time of reporting means organizations must rely on interim mitigations until updates are released.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted WordPress sites, compromising user sessions, stealing sensitive data, or performing actions on behalf of legitimate users. This is particularly critical for organizations that rely on WordPress for public-facing websites, intranets, or portals with multiple contributors. The confidentiality of user credentials and personal data may be at risk, as well as the integrity of website content and user interactions. Although availability is not directly impacted, reputational damage and loss of user trust can result from successful exploitation. Organizations in sectors such as government, finance, healthcare, and e-commerce, which often use WordPress and OpenID Connect for authentication, may face increased risks. The requirement for contributor-level access limits the attack surface but does not eliminate it, especially in environments with numerous content editors or third-party contributors. The stored nature of the XSS means that once injected, the malicious code can affect all users who view the compromised pages, amplifying the potential damage.

1. Immediately review and restrict Contributor-level and higher privileges to trusted users only, minimizing the number of users who can inject content via shortcodes. 2. Monitor and audit the use of the 'openid_connect_generic_auth_url' shortcode in all WordPress pages and posts to detect any unauthorized or suspicious usage. 3. Implement Web Application Firewall (WAF) rules that detect and block typical XSS payloads targeting this shortcode. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected scripts. 5. Regularly update the OpenID Connect Generic Client plugin as soon as a patch addressing this vulnerability is released by the vendor. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Conduct periodic security scans and penetration tests focusing on stored XSS vulnerabilities in WordPress environments. 8. Consider temporarily disabling the vulnerable shortcode if feasible until a patch is available. 9. Use security plugins that provide enhanced input sanitization and output escaping for shortcodes and user-generated content.