CVE-2025-13884 is a stored Cross-Site Scripting vulnerability identified in the 'Hide Email Address' WordPress plugin developed by buntegiraffe. The vulnerability exists due to insufficient input sanitization and output escaping of the 'inline_css' parameter within the 'bg-hide-email-address' shortcode. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Since the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability is exploitable remotely over the network without requiring user interaction, and it affects all versions up to and including 0.1 of the plugin. The CVSS v3.1 base score is 6.4, reflecting medium severity with low attack complexity and partial impact on confidentiality and integrity but no impact on availability. No patches or fixes are currently published, and no known exploits have been observed in the wild. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. Given the plugin's role in obfuscating email addresses, it is likely used on websites aiming to protect contact information, making the injection of malicious scripts particularly impactful for site visitors and administrators.

For European organizations, this vulnerability poses a moderate risk primarily to WordPress-based websites using the 'Hide Email Address' plugin. Exploitation could lead to session hijacking, unauthorized actions, data theft, or defacement, undermining user trust and potentially violating data protection regulations such as GDPR if personal data is compromised. Organizations with multiple contributors or editors are at higher risk since the vulnerability requires authenticated access at Contributor level or above. Public-facing websites, especially those handling sensitive user interactions or customer data, could suffer reputational damage and operational disruptions. The medium CVSS score indicates a significant but not critical threat, yet the stored nature of the XSS means the impact can be persistent and affect many users over time. The lack of known exploits reduces immediate urgency but does not eliminate the risk of future exploitation. European entities relying on WordPress for communication, marketing, or e-commerce should consider this vulnerability a priority for remediation to maintain security and compliance.

1. Monitor for official patches or updates from the plugin developer and apply them immediately once available. 2. Until a patch is released, restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input. 3. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads, especially targeting the 'inline_css' parameter in shortcode inputs. 4. Conduct regular security audits and code reviews of installed plugins to identify and remediate unsafe input handling. 5. Educate content contributors about safe content practices and the risks of injecting untrusted code. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 7. Consider temporarily disabling or replacing the vulnerable plugin with alternative solutions that have better security track records. 8. Maintain regular backups and incident response plans to quickly recover from potential compromises.