CVE-2025-13747 is a stored Cross-Site Scripting (XSS) vulnerability identified in the NewStatPress plugin for WordPress, affecting all versions up to and including 1.4.3. The root cause is a regex bypass in the nsp_shortcode function, which fails to properly sanitize and escape user-supplied attributes before rendering them on web pages. This flaw allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who accesses the infected page, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 score is 6.4, reflecting network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and documented by Wordfence and the CVE database. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

The impact of CVE-2025-13747 can be significant for organizations running WordPress sites with the NewStatPress plugin installed. Since contributor-level users can exploit this vulnerability, attackers can inject malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, session hijacking, unauthorized actions performed on behalf of users, defacement of website content, and potential spread of malware. The compromise of administrator sessions could allow attackers to escalate privileges further, leading to full site takeover. For organizations relying on WordPress for public-facing websites, blogs, or intranet portals, this vulnerability threatens both the confidentiality and integrity of their web presence. Although availability is not directly impacted, reputational damage and loss of user trust can be severe. The vulnerability's exploitation scope is limited to sites using the affected plugin versions, but given WordPress's widespread use globally, the potential attack surface is large. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers often develop exploits after public disclosure.

Organizations should immediately audit their WordPress installations to identify the presence of the NewStatPress plugin and its version. If the plugin is installed and running version 1.4.3 or earlier, administrators should disable or remove the plugin until a security patch is released. In the absence of an official patch, applying manual mitigations such as sanitizing and escaping user inputs in the nsp_shortcode function can reduce risk. Restrict contributor-level permissions to trusted users only and review user roles to minimize the number of users with such access. Implement Web Application Firewalls (WAFs) with rules to detect and block malicious script injections targeting the plugin's shortcode parameters. Regularly monitor logs for suspicious activity related to shortcode usage or unusual script injections. Educate site administrators and contributors about the risks of XSS and the importance of cautious content input. Once a patch is available, prioritize its deployment. Additionally, consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites.