The BUKAZU Search widget plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-13840. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), specifically through the 'shortcode' parameter of the 'bukazu_search' shortcode. In all versions up to 3.3.2, the plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The vulnerability's exploitation could lead to partial confidentiality and integrity loss without affecting availability. The lack of a patch at the time of disclosure necessitates immediate attention to mitigate risks.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress sites, risking user credential theft, session hijacking, and unauthorized actions performed under legitimate user contexts. This can result in data breaches, defacement of websites, loss of customer trust, and potential regulatory penalties under GDPR if personal data is compromised. Organizations relying on multi-user WordPress environments with Contributor-level users are particularly at risk. The medium severity score indicates a moderate but tangible threat, especially for public-facing websites or those handling sensitive user data. The scope change means the vulnerability can affect components beyond the plugin itself, potentially impacting the entire WordPress site. Given the widespread use of WordPress across Europe, especially in small and medium enterprises, the impact could be broad if not addressed promptly.

European organizations should immediately audit their WordPress installations to identify the presence of the BUKAZU Search widget plugin and its version. Until an official patch is released, administrators should restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode parameters or script injections can provide interim protection. Additionally, applying manual input validation and output escaping in the plugin code, if feasible, can mitigate exploitation. Regularly monitoring website logs for unusual activity and conducting security scans to detect injected scripts is recommended. Once a patch becomes available, organizations must prioritize updating the plugin. Educating content contributors about safe input practices and limiting plugin usage to trusted sources further reduces risk.