CVE-2025-13884 identifies a stored cross-site scripting vulnerability in the 'Hide Email Address' WordPress plugin developed by buntegiraffe. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'inline_css' parameter within the 'bg-hide-email-address' shortcode. This flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The vulnerability affects all versions up to and including 0.1 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and a scope change. The vulnerability impacts confidentiality and integrity but not availability. No patches or fixes are currently published, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, enabling session hijacking, theft of sensitive data such as cookies or credentials, and unauthorized actions like content manipulation or privilege escalation. While availability is not directly affected, the trustworthiness and security posture of the affected websites can be severely undermined. Organizations relying on the 'Hide Email Address' plugin risk reputational damage, data breaches, and potential regulatory consequences if user data is compromised. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or less stringent access controls.

1. Immediate mitigation involves restricting Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input injection. 2. Disable or remove the 'Hide Email Address' plugin until a security patch or update is released by the vendor. 3. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious script injections targeting the 'inline_css' parameter or shortcode usage. 4. Conduct thorough input validation and output encoding on all user-supplied data within the WordPress environment, especially for shortcodes and plugin parameters. 5. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 6. Once available, promptly apply vendor patches or updates addressing this vulnerability. 7. Educate site administrators and contributors about the risks of XSS and the importance of secure coding and plugin management practices.