CVE-2025-13747 is a stored Cross-Site Scripting (XSS) vulnerability identified in the NewStatPress plugin for WordPress, affecting all versions up to and including 1.4.3. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes in the nsp_shortcode function, which processes shortcode inputs. Specifically, a regex bypass allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. The CVSS 3.1 score of 6.4 reflects a medium severity level, with an attack vector over the network, low complexity, requiring privileges (authenticated contributor or higher), no user interaction, and a scope change (the vulnerability affects components beyond the initially vulnerable code). No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for websites relying on this plugin. The lack of an official patch at the time of publication necessitates immediate mitigation steps to prevent exploitation.

For European organizations, this vulnerability poses a risk primarily to websites using WordPress with the NewStatPress plugin installed. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users visiting the site, potentially compromising user credentials, session tokens, or enabling further attacks such as phishing or privilege escalation. This can lead to data breaches, reputational damage, and loss of user trust. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and small to medium enterprises, the impact could be significant. The vulnerability does not directly affect availability but compromises confidentiality and integrity. Organizations with multi-user WordPress environments where contributors can upload content are particularly at risk. The stored nature of the XSS increases persistence and reach of the attack, affecting all visitors to infected pages.

1. Immediately restrict contributor-level user permissions to trusted personnel only until the vulnerability is patched. 2. Monitor and audit all user-generated content, especially shortcode attributes, for suspicious scripts or code injections. 3. Apply strict input validation and output encoding on all shortcode attributes in the NewStatPress plugin code as a temporary fix if patching is not yet available. 4. Disable or remove the NewStatPress plugin if it is not essential to reduce attack surface. 5. Keep WordPress core and all plugins updated; apply the official patch from ice00 as soon as it is released. 6. Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 7. Educate content contributors about safe content practices and the risks of injecting scripts. 8. Use web application firewalls (WAFs) with rules to detect and block XSS payloads targeting shortcode inputs. 9. Regularly scan websites for XSS vulnerabilities using automated tools to detect any exploitation attempts.