CVE-2025-13848 identifies a stored Cross-Site Scripting (XSS) vulnerability in the STM Gallery 1.9 plugin for WordPress, specifically affecting all versions up to and including 0.9. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The flaw is located in the handling of the 'composicion' parameter, which lacks sufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change (affecting other components). The impact includes limited confidentiality and integrity loss but no availability impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the presence of the vulnerability in a popular CMS plugin makes it a credible threat. The vulnerability was published on January 7, 2026, with the CVE reserved on December 1, 2025. The STM Gallery plugin is used to manage image galleries on WordPress sites, and this vulnerability could be leveraged to compromise site visitors or administrators.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the STM Gallery plugin installed. Exploitation could lead to unauthorized script execution in users' browsers, enabling session hijacking, credential theft, or unauthorized actions performed with the privileges of the victim user. This can result in data breaches, defacement of websites, erosion of customer trust, and potential regulatory penalties under GDPR if personal data is compromised. Since the vulnerability requires Contributor-level access, insider threats or compromised contributor accounts pose a risk. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the plugin itself, potentially impacting the broader WordPress environment. Although no known exploits are currently reported, the medium severity and ease of exploitation with low complexity make it a credible threat. Organizations with public-facing WordPress sites, especially those in sectors like e-commerce, media, and government, are at higher risk of reputational and operational damage.

To mitigate this vulnerability, European organizations should first verify if the STM Gallery plugin is installed and determine the version in use. Since no official patch links are provided, organizations should consider the following specific actions: 1) Restrict Contributor-level access strictly to trusted users and review existing user roles and permissions to minimize the number of users who can exploit this flaw. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious input patterns targeting the 'composicion' parameter. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Conduct regular security audits and code reviews of WordPress plugins and themes to identify similar input validation issues. 5) Monitor logs and user activity for signs of exploitation attempts or anomalous behavior. 6) Consider temporarily disabling or removing the STM Gallery plugin if immediate patching is not available and the risk is high. 7) Educate content contributors about safe input practices and the risks of injecting untrusted content. These targeted measures go beyond generic advice and address the specific nature of this vulnerability.