CVE-2025-13853 is a stored cross-site scripting vulnerability identified in the Nearby Now Reviews plugin for WordPress, developed by lnbadmin1. The flaw exists in all versions up to and including 5.2 and is caused by improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'data_tech' parameter within the nn-tech shortcode. This allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, and no user interaction required. The scope is classified as changed, indicating that the vulnerability affects resources beyond the attacker’s privileges. Although no known exploits are currently in the wild and no official patches have been released, the vulnerability represents a significant risk to WordPress sites using this plugin. The attack requires authenticated access at the Contributor level, which is a moderate barrier but still feasible in many environments. The vulnerability falls under CWE-79, a common and well-understood class of web application security issues. The lack of output escaping and input validation in the plugin's codebase is the root cause, emphasizing the importance of secure coding practices in plugin development.

The impact of CVE-2025-13853 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with Contributor-level access to inject persistent malicious scripts that execute in the browsers of site visitors or administrators. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, defacement, or unauthorized actions performed with the victim’s privileges. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who view the compromised content, increasing the attack surface. Although availability is not directly impacted, the resulting compromise can facilitate further attacks, including privilege escalation or malware distribution. Organizations relying on the Nearby Now Reviews plugin face risks of reputational damage, data breaches, and potential regulatory consequences if user data is exposed. The medium CVSS score reflects the moderate ease of exploitation combined with the significant potential consequences. The requirement for authenticated access limits exposure somewhat but does not eliminate risk, especially in environments with many contributors or weak access controls. The vulnerability could be leveraged in targeted attacks against organizations with active WordPress sites using this plugin, particularly those with valuable user data or high traffic.

To mitigate CVE-2025-13853, organizations should immediately audit and restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implement strict input validation and output encoding for the 'data_tech' parameter in any custom code or overrides related to the Nearby Now Reviews plugin. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the nn-tech shortcode parameters. Monitor site content regularly for unexpected script injections or anomalies in pages using the plugin. Until an official patch is released, consider temporarily disabling or replacing the Nearby Now Reviews plugin if feasible. Educate content contributors about the risks of injecting untrusted content and enforce secure content submission policies. Keep WordPress core and all plugins updated to reduce the attack surface from other vulnerabilities. Finally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks.