CVE-2025-13857 is a stored cross-site scripting (XSS) vulnerability identified in the Yet Another WebClap for WordPress plugin developed by ksakai. The vulnerability exists in all versions up to and including 0.2 due to insufficient sanitization and escaping of user-supplied input in the 'text' parameter of the webclap_button shortcode. This improper neutralization of input (CWE-79) allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into WordPress pages. When other users access these pages, the injected scripts execute within their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability is exploitable remotely over the network without user interaction, with a low attack complexity, but requires authenticated access with at least Contributor rights. The CVSS v3.1 base score is 6.4, reflecting a medium severity with partial impact on confidentiality and integrity but no impact on availability. No official patches or updates are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those allowing shortcode parameters to accept user input.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, performing actions on behalf of users, or defacing content. While availability is not directly affected, the trustworthiness and security posture of the affected websites can be significantly undermined. Organizations running websites with this plugin may face reputational damage, data leakage, and unauthorized access incidents. Since Contributor-level access is required, the threat is somewhat limited to insider threats or compromised accounts with elevated privileges. However, given WordPress's widespread use and the popularity of plugins, the vulnerability could be leveraged in targeted attacks against organizations relying on this plugin for user engagement features.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations for the presence of the Yet Another WebClap plugin and verify the version in use. Since no official patch links are currently available, administrators should consider disabling or uninstalling the plugin until a secure update is released. As a temporary workaround, restrict Contributor-level user permissions and review user roles to minimize the number of users who can inject content via the shortcode. Implement web application firewall (WAF) rules to detect and block suspicious script injection attempts targeting the 'text' parameter. Additionally, site administrators should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs for unusual activity related to shortcode usage and user-generated content. Finally, maintain an update process to apply vendor patches promptly once they become available.