CVE-2025-13730 is a stored Cross-Site Scripting (XSS) vulnerability identified in the OpenID Connect Generic Client plugin for WordPress, maintained by daggerhart. The vulnerability affects all versions up to and including 3.10.0. It stems from improper neutralization of input (CWE-79) during web page generation, specifically through the plugin's 'openid_connect_generic_auth_url' shortcode. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into pages by exploiting insufficient input sanitization and output escaping mechanisms. Once injected, these scripts execute in the context of any user who accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability requires no user interaction for exploitation but does require authenticated access, limiting the attack surface to users with some level of trust within the WordPress environment. The CVSS v3.1 base score is 6.4, indicating a medium severity level, with attack vector being network (remote), low attack complexity, privileges required (low), no user interaction, and scope changed due to impact on other components. No patches or known exploits have been reported at the time of publication, but the vulnerability poses a significant risk to sites relying on this plugin for OpenID Connect authentication integration.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, potentially compromising user credentials, session tokens, and sensitive information. Since the plugin is used to integrate OpenID Connect authentication, exploitation could undermine the integrity of authentication flows, enabling attackers to impersonate users or escalate privileges. This is particularly critical for organizations handling personal data under GDPR, as breaches could result in regulatory penalties and reputational damage. The requirement for Contributor-level access means insider threats or compromised accounts could be leveraged to exploit this vulnerability. Additionally, the stored nature of the XSS means that once injected, the malicious code persists and affects all visitors to the infected page, increasing the attack's reach. The vulnerability does not affect availability but impacts confidentiality and integrity, which are crucial for maintaining trust in authentication systems.

European organizations should immediately audit their WordPress installations to identify the presence of the OpenID Connect Generic Client plugin and verify the version in use. Since no official patches are currently available, temporary mitigations include restricting Contributor-level access to trusted users only and implementing strict content security policies (CSP) to limit the execution of unauthorized scripts. Administrators can also sanitize and review all content generated via the 'openid_connect_generic_auth_url' shortcode to detect and remove injected scripts. Monitoring logs for unusual activity from Contributor-level accounts can help detect exploitation attempts. Organizations should subscribe to vendor advisories for timely patch releases and apply updates promptly once available. Additionally, employing web application firewalls (WAFs) with XSS detection rules can provide an additional layer of defense against exploitation attempts.