CVE-2025-13848 identifies a stored Cross-Site Scripting (XSS) vulnerability in the STM Gallery 1.9 plugin for WordPress, specifically affecting all versions up to and including 0.9. The vulnerability arises from insufficient sanitization and escaping of the 'composicion' parameter, which allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into web pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple authenticated contributors. The vulnerability's exploitation requires authenticated access, limiting exposure to internal or trusted users, but the potential for persistent script injection makes it a significant threat to site integrity and user trust.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted WordPress environments, potentially compromising user credentials, session tokens, or enabling further attacks such as privilege escalation or data manipulation. Organizations relying on STM Gallery 1.9 in their content management workflows may face risks of data leakage or defacement. Since contributors can inject scripts, insider threats or compromised contributor accounts increase risk. The impact is particularly relevant for organizations with collaborative content creation, such as media companies, educational institutions, and government agencies. The vulnerability does not directly affect availability but can undermine user trust and lead to reputational damage. Additionally, GDPR implications arise if personal data is exposed or manipulated due to the vulnerability. The medium severity score reflects a moderate but actionable risk that requires timely mitigation to prevent exploitation.

Immediate mitigation should include restricting Contributor-level access to trusted users only and auditing existing contributor accounts for suspicious activity. Implement strict input validation and output encoding on the 'composicion' parameter to prevent script injection. Since no official patches are currently linked, organizations should monitor vendor advisories for updates and apply patches promptly once available. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns to detect and block malicious payloads. Conduct regular security reviews of WordPress plugins and consider disabling or replacing STM Gallery 1.9 if it is not essential. Educate content contributors about secure content practices and the risks of injecting untrusted code. Finally, implement Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting script sources.