CVE-2025-13847 identifies a Stored Cross-Site Scripting vulnerability in the PhotoFade plugin for WordPress, maintained by davidangel. The vulnerability exists in all versions up to and including 0.2.1 due to insufficient sanitization and escaping of the 'time' parameter during web page generation. This parameter is vulnerable to injection of arbitrary JavaScript code by authenticated users with Contributor-level permissions or higher. Because the malicious script is stored persistently, it executes in the context of any user who accesses the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity, but requires authenticated access with contributor privileges, which limits the attacker scope to insiders or compromised accounts. The CVSS 3.1 base score is 6.4, reflecting a medium severity with partial impact on confidentiality and integrity but no impact on availability. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. This issue highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling user-supplied parameters that are rendered in pages.

The primary impact of CVE-2025-13847 is the potential compromise of user confidentiality and integrity on WordPress sites using the PhotoFade plugin. An attacker with Contributor-level access can inject malicious scripts that execute in the browsers of any visitors to the affected pages, enabling session hijacking, credential theft, or unauthorized actions such as content manipulation or privilege escalation. This can lead to broader site compromise, defacement, or use of the site as a vector for further attacks. Although availability is not directly affected, the reputational damage and trust erosion from successful exploitation can be significant. Organizations relying on PhotoFade for photo display or gallery functionality face risks of insider threats or compromised contributor accounts being leveraged for persistent XSS attacks. The medium CVSS score reflects that while exploitation requires some level of authentication, the ease of injection and the persistent nature of the vulnerability make it a notable risk. The absence of known exploits in the wild suggests limited current active exploitation, but the vulnerability remains a viable target for attackers seeking footholds in WordPress environments.

To mitigate CVE-2025-13847, organizations should immediately audit their WordPress installations for the presence of the PhotoFade plugin and verify the version in use. Since no official patches are currently linked, administrators should consider the following specific actions: 1) Restrict Contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'time' parameter in PhotoFade-related requests. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Conduct manual code review or apply custom input sanitization and output encoding for the 'time' parameter if feasible. 5) Monitor logs for unusual contributor activity or unexpected changes in pages using PhotoFade. 6) Plan to upgrade or replace the PhotoFade plugin once a patched version is released or consider alternative plugins with better security track records. 7) Educate contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. These targeted mitigations go beyond generic advice by focusing on access control, detection, and containment specific to this vulnerability's exploitation vector.