CVE-2025-13740 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Lightweight Accordion plugin for WordPress, versions up to and including 1.5.20. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of the plugin's `lightweight-accordion` shortcode attributes. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages by exploiting insufficient input sanitization and lack of proper output escaping. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, with no user interaction needed beyond page access. The scope is changed as the vulnerability affects other users beyond the attacker. No patches or official fixes are currently listed, and no known exploits have been reported in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes to be rendered without proper sanitization.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Lightweight Accordion plugin on WordPress. Exploitation can lead to unauthorized script execution in the context of affected websites, risking user session hijacking, data theft, defacement, or further compromise of site integrity. This can damage organizational reputation, lead to data breaches involving personal or customer data protected under GDPR, and potentially cause service disruptions. Since the attack requires contributor-level access, insider threats or compromised accounts are the most likely vectors. Organizations with public-facing WordPress sites that rely on this plugin for content presentation are particularly vulnerable. The impact extends to any users visiting infected pages, including customers and employees, increasing the risk of lateral attacks or phishing. The medium CVSS score reflects that while the vulnerability is not trivially exploitable by unauthenticated attackers, the consequences of successful exploitation can be significant, especially in sectors like e-commerce, media, and public services prevalent in Europe.

European organizations should immediately audit their WordPress installations to identify the presence of the Lightweight Accordion plugin and its version. Until an official patch is released, practical mitigations include: restricting contributor-level permissions to trusted users only; implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs; employing Content Security Policy (CSP) headers to limit script execution sources; sanitizing and validating all user-generated content before it is rendered; monitoring logs for unusual shortcode usage or script injections; and educating content contributors about the risks of injecting untrusted content. Additionally, organizations should consider temporarily disabling or removing the plugin if it is not essential. Regular backups and incident response plans should be updated to quickly recover from potential exploitation. Once a patch is available, prompt application is critical. Continuous monitoring for updates from the plugin vendor and WordPress security advisories is recommended.