CVE-2025-13838 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WishSuite – Wishlist for WooCommerce plugin for WordPress, affecting all versions up to and including 1.5.1. The vulnerability arises from improper neutralization of input during web page generation, specifically in the 'button_text' parameter of the 'wishsuite_button' shortcode. This parameter lacks sufficient input sanitization and output escaping, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires authentication but no user interaction beyond visiting the compromised page. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality and integrity with no availability impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant because Contributor-level users are common in WordPress environments, and the plugin is widely used in WooCommerce-based e-commerce sites, which handle sensitive customer data and transactions. The stored nature of the XSS increases risk as the malicious payload persists and affects multiple users. This vulnerability underscores the importance of rigorous input validation and output encoding in plugin development, especially for widely deployed e-commerce platforms.

For European organizations, this vulnerability poses a moderate risk primarily to e-commerce websites using WooCommerce with the WishSuite plugin. Exploitation could lead to unauthorized script execution in users' browsers, resulting in session hijacking, theft of customer data, or unauthorized actions performed on behalf of users. This can damage customer trust, lead to regulatory non-compliance (e.g., GDPR breaches due to data exposure), and cause financial losses. Since Contributor-level users can exploit this flaw, insider threats or compromised contributor accounts increase risk. The persistence of the injected scripts means multiple users can be affected over time, amplifying impact. Additionally, the integrity of the website content and user interactions can be compromised, potentially facilitating further attacks such as phishing or malware distribution. The medium severity score reflects that while the attack requires some privileges, the ease of exploitation and potential confidentiality and integrity impacts warrant prompt attention. Organizations with high e-commerce traffic or sensitive customer data are particularly vulnerable to reputational and operational damage.

1. Immediately restrict Contributor-level permissions to trusted users only and review existing contributor accounts for suspicious activity. 2. Disable or remove the WishSuite plugin if it is not essential or until a patch is available. 3. Implement strict input validation and output encoding for the 'button_text' parameter in custom plugin code or overrides to prevent script injection. 4. Monitor website pages for unexpected or suspicious shortcode usage and injected scripts using web application firewalls (WAF) or security plugins. 5. Educate content contributors about the risks of injecting untrusted content and enforce content review policies. 6. Regularly update WordPress core, plugins, and themes to incorporate security patches once available. 7. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 8. Conduct security audits and penetration testing focused on user-generated content and shortcode processing. 9. Backup website data regularly to enable quick recovery in case of compromise. 10. Monitor logs for unusual activity related to shortcode usage or contributor actions.