CVE-2025-13740 is a stored cross-site scripting vulnerability identified in the Lightweight Accordion plugin for WordPress, affecting all versions up to and including 1.5.20. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the plugin's shortcode implementation. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the 'lightweight-accordion' shortcode attributes. Because the injected scripts are stored persistently, they execute in the context of any user who visits the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting network exploitability with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects the plugin's widespread user base, particularly WordPress sites that allow multiple contributors to add content. This flaw underscores the importance of rigorous input validation and output encoding in WordPress plugin development to prevent persistent XSS attacks.

The impact of CVE-2025-13740 can be significant for organizations using the Lightweight Accordion plugin on WordPress sites with multiple contributors. Successful exploitation allows attackers to inject persistent malicious scripts that execute in the browsers of any user visiting the compromised pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts, including administrative accounts if targeted. Additionally, attackers could manipulate page content, perform phishing attacks, or redirect users to malicious websites, undermining user trust and damaging organizational reputation. The vulnerability affects confidentiality and integrity but does not directly impact availability. Organizations with active contributor roles are at higher risk, as the attack requires authenticated access. Given WordPress's global popularity, the threat has a broad potential reach, especially for content-heavy sites or those with less stringent contributor vetting. While no known exploits are currently reported, the medium severity score suggests that attackers could develop exploits relatively easily, making timely mitigation critical to prevent compromise.

To mitigate CVE-2025-13740, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of a patch, administrators should restrict contributor-level access to trusted users only, minimizing the risk of malicious shortcode attribute injection. Implementing a web application firewall (WAF) with rules to detect and block suspicious script tags or JavaScript payloads in shortcode attributes can provide an additional layer of defense. Site administrators should also audit existing content for injected scripts and remove any suspicious shortcode attributes. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting the sources from which scripts can be loaded or executed. Developers maintaining WordPress sites should consider disabling or replacing the Lightweight Accordion plugin with alternatives that properly sanitize inputs. Finally, educating contributors about secure content practices and monitoring logs for unusual activity can help detect and prevent exploitation attempts.