CVE-2025-13731 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Nexter Extension – Site Enhancements Toolkit plugin for WordPress, specifically in the 'nxt-year' shortcode functionality. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied input before rendering it on pages. As a result, authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code into pages via the shortcode. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 4.4.1 of the plugin. The CVSS 3.1 base score of 6.4 reflects that the attack vector is network-based, requires low attack complexity, and privileges at the Contributor level, but does not require user interaction. The scope is changed because the vulnerability affects other users who view the injected content. Confidentiality and integrity impacts are low, while availability is not affected. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is used within the WordPress ecosystem, which is widely deployed across many European organizations for websites and content management.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user data on affected WordPress sites. Attackers with Contributor-level access can inject persistent scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. This can undermine trust in the affected websites, cause reputational damage, and lead to data breaches involving personal or sensitive information. Organizations relying on WordPress for e-commerce, media, or customer engagement are particularly vulnerable, as compromised sites can disrupt business operations and customer interactions. The vulnerability does not directly impact availability, but indirect effects such as site downtime due to remediation or exploitation may occur. Since exploitation requires authenticated access at Contributor level, organizations with lax user privilege management or large contributor bases are at higher risk. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks.

1. Monitor for and apply security updates: Although no patch links are currently available, organizations should closely monitor the plugin vendor’s announcements and apply updates as soon as a fixed version is released. 2. Restrict Contributor privileges: Limit the number of users with Contributor-level access to only those who absolutely require it, and review user roles regularly to minimize exposure. 3. Implement input validation and output encoding: Where possible, apply additional input sanitization and output escaping at the application or web server level to mitigate injection risks. 4. Deploy Web Application Firewalls (WAFs): Use WAFs with rules that detect and block common XSS payloads, especially targeting the 'nxt-year' shortcode or suspicious shortcode usage patterns. 5. Conduct regular security audits: Perform code reviews and vulnerability scans on WordPress plugins and themes to identify and remediate similar issues proactively. 6. Educate content contributors: Train users with editing privileges on secure content practices and the risks of injecting untrusted code. 7. Monitor logs and user activity: Detect anomalous shortcode usage or unexpected script injections to identify potential exploitation attempts early.