CVE-2025-13838 is a stored cross-site scripting (XSS) vulnerability identified in the WishSuite – Wishlist for WooCommerce plugin developed by htplugins for WordPress. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the 'button_text' parameter within the 'wishsuite_button' shortcode. All versions up to and including 1.5.1 are affected. Authenticated attackers with at least Contributor-level privileges can inject arbitrary JavaScript code into pages by manipulating this parameter. Because the injected scripts are stored and rendered whenever the affected page is accessed, any user visiting the page may unknowingly execute the malicious code. This can lead to theft of session cookies, unauthorized actions on behalf of users, or redirection to malicious sites. The vulnerability does not require user interaction beyond visiting the compromised page and does not require higher privileges than Contributor, which is a relatively low privilege level in WordPress. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No patches or official fixes were listed at the time of disclosure, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, indicating improper input sanitization and output escaping during web page generation. This flaw highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those that accept user-generated content or parameters.

The impact of CVE-2025-13838 is significant for organizations using the WishSuite plugin on WordPress sites, particularly e-commerce sites leveraging WooCommerce. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the infected pages. This can lead to session hijacking, unauthorized actions performed with victim user privileges, defacement, phishing, or malware distribution. Since Contributor-level access is relatively easy to obtain compared to Administrator-level, the attack surface is broader. The vulnerability compromises confidentiality and integrity but does not affect availability. For organizations with multiple users and public-facing content, this can result in reputational damage, loss of customer trust, and potential data breaches. The lack of known exploits in the wild currently reduces immediate risk, but the medium CVSS score and ease of exploitation warrant prompt mitigation. E-commerce sites are particularly sensitive as attackers may leverage this to steal customer data or payment information indirectly. The vulnerability also poses risks to site administrators and editors who may have elevated privileges and access to sensitive backend functions.

To mitigate CVE-2025-13838, organizations should immediately update the WishSuite – Wishlist for WooCommerce plugin to a version that addresses this vulnerability once available. In the absence of an official patch, site administrators should implement strict input validation and output encoding for the 'button_text' parameter in the 'wishsuite_button' shortcode. Employing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this parameter can provide temporary protection. Restrict Contributor-level user permissions to trusted individuals only and audit existing users for suspicious accounts. Regularly review and sanitize all user-generated content and shortcode parameters before rendering. Additionally, enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Monitoring logs for unusual activity related to shortcode usage or script injections is advisable. Finally, educate content editors and contributors about the risks of injecting untrusted content and enforce secure coding practices for any custom plugin development.