CVE-2025-13853 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Nearby Now Reviews plugin for WordPress, developed by lnbadmin1. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically through the 'data_tech' parameter of the nn-tech shortcode. In all versions up to and including 5.2, the plugin fails to sufficiently sanitize and escape user-supplied input, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim's browser session. The vulnerability requires no user interaction beyond visiting the infected page, and the attacker only needs Contributor-level access, which is a relatively low privilege level in WordPress. The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors or editors. The lack of patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress sites, resulting in session hijacking, defacement, phishing, or distribution of malware to site visitors. Confidentiality is impacted as attackers can steal sensitive user data or authentication tokens. Integrity is compromised through unauthorized content modification, and availability could be indirectly affected if the site is defaced or blacklisted by browsers or search engines. Organizations relying on WordPress for customer engagement, e-commerce, or internal communications may suffer reputational damage and regulatory consequences under GDPR if user data is exposed. The requirement for Contributor-level access means insider threats or compromised accounts can be leveraged to exploit this vulnerability, increasing risk in collaborative environments. The medium severity score indicates a moderate but actionable threat that should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

1. Immediately restrict Contributor-level and higher user roles to trusted personnel only, minimizing the risk of malicious input. 2. Monitor and audit user-generated content, especially inputs to the nn-tech shortcode, for suspicious scripts or anomalies. 3. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the 'data_tech' parameter. 4. Apply strict Content Security Policy (CSP) headers to limit script execution sources and reduce impact of injected scripts. 5. Regularly update the Nearby Now Reviews plugin as soon as the vendor releases a patch addressing this vulnerability. 6. Employ additional input validation and output encoding plugins or custom code to sanitize shortcode parameters. 7. Educate content contributors about safe input practices and the risks of injecting scripts. 8. Conduct periodic security scans and penetration tests focusing on WordPress plugins and user input vectors.