CVE-2025-13848 identifies a stored Cross-Site Scripting (XSS) vulnerability in the STM Gallery 1.9 plugin for WordPress, specifically affecting all versions up to and including 0.9. The vulnerability arises from improper neutralization of input (CWE-79) during web page generation, where the 'composicion' parameter is not sufficiently sanitized or escaped before being stored and rendered. This flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript code into pages managed by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges (Contributor or above) but no user interaction from victims. The scope is changed, meaning the vulnerability can affect resources beyond the attacker’s privileges. No known exploits are currently in the wild, and no official patches have been published as of the vulnerability disclosure date. The STM Gallery plugin is used in WordPress environments, which are widely deployed globally, especially in content management and web publishing. This vulnerability highlights the importance of rigorous input validation and output encoding in plugin development to prevent stored XSS attacks that can impact a broad user base.

The impact of CVE-2025-13848 is significant for organizations using the STM Gallery 1.9 WordPress plugin, especially those with multiple contributors managing content. Successful exploitation allows attackers to inject persistent malicious scripts that execute in the browsers of any user viewing the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed with victim user privileges, and potential spread of malware. Since the vulnerability requires Contributor-level access, insider threats or compromised contributor accounts pose a serious risk. The scope change means the attacker can affect users with higher privileges or broader access, increasing potential damage. For organizations relying on WordPress for public-facing websites, this can result in reputational damage, data breaches, and compliance violations. Although no known exploits are currently reported, the medium CVSS score and ease of exploitation by authenticated users make timely mitigation critical to prevent future attacks.

To mitigate CVE-2025-13848, organizations should immediately review and restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implement additional input validation and output encoding on the 'composicion' parameter at the application or web server level if possible, using web application firewalls (WAFs) with custom rules to detect and block suspicious payloads. Monitor logs and user activity for unusual behavior indicative of attempted XSS exploitation. Educate contributors about safe content practices and the risks of injecting scripts. Until an official patch is released, consider disabling or replacing the STM Gallery plugin with a more secure alternative. Regularly check for updates from the vendor and apply patches promptly once available. Employ Content Security Policy (CSP) headers to restrict script execution sources, limiting the impact of injected scripts. Conduct periodic security assessments of WordPress plugins to identify and remediate similar vulnerabilities proactively.