CVE-2025-13849 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Cool YT Player plugin for WordPress, developed by matiasanca. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'videoid' parameter. All plugin versions up to and including 1.0 fail to adequately sanitize or escape this input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time any user accesses the compromised page, potentially enabling session hijacking, privilege escalation, or other malicious actions that compromise confidentiality and integrity. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. No patches or known exploits are currently reported, but the risk remains significant due to the common use of WordPress and the plugin's functionality in embedding YouTube videos. The vulnerability is categorized under CWE-79, highlighting the failure to properly sanitize input leading to XSS attacks.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web applications using the Cool YT Player plugin. Attackers with Contributor-level access can inject scripts that execute in the context of other users, potentially stealing session tokens, defacing content, or performing unauthorized actions on behalf of users. This can lead to data breaches, reputational damage, and loss of user trust. Since WordPress powers a significant portion of websites in Europe, especially in sectors like media, education, and small to medium enterprises, exploitation could disrupt business operations and expose sensitive user data. The lack of known exploits currently reduces immediate risk, but the ease of exploitation by authenticated users means insider threats or compromised contributor accounts could be leveraged. The vulnerability does not affect availability directly but can indirectly impact service reliability through defacement or administrative misuse.

European organizations should implement the following specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and regularly audit user roles and permissions to minimize the risk of malicious input injection. 2) Monitor WordPress sites for unusual script injections or unexpected changes in pages that embed YouTube videos via the Cool YT Player plugin. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'videoid' parameter. 4) Until an official patch is released, consider disabling or removing the Cool YT Player plugin if it is not essential. 5) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 6) Educate content contributors about the risks of injecting untrusted content and enforce input validation at the application level where possible. 7) Stay updated with vendor advisories and apply patches promptly once available.