CVE-2025-13885 identifies a stored cross-site scripting (XSS) vulnerability in the Zenost Shortcodes plugin for WordPress, specifically in the handling of the 'link' and 'target' parameters within the 'button' shortcode. The vulnerability stems from insufficient sanitization and escaping of user-supplied input, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into WordPress pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low complexity, requires privileges (Contributor or above), does not require user interaction, and impacts confidentiality and integrity with a scope change (the vulnerability affects components beyond the initially vulnerable component). No patches or exploit code are currently publicly available, but the risk remains significant due to the stored nature of the XSS and the potential for persistent impact. The vulnerability was published on December 12, 2025, and assigned by Wordfence. Given WordPress's widespread use and the popularity of shortcode plugins for content management, this vulnerability could affect a broad range of websites, especially those with multiple contributors who have editing privileges.

The primary impact of CVE-2025-13885 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and defacement or manipulation of site content. Because the vulnerability is stored XSS, the malicious payload persists on the site and affects all visitors to the compromised pages, increasing the attack surface. This can damage organizational reputation, result in data breaches, and facilitate further attacks such as phishing or malware distribution. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but many WordPress sites allow contributors or editors, making this a realistic threat. The scope change in the CVSS vector suggests that the vulnerability affects components beyond the immediate plugin, potentially impacting other site functionalities. Organizations relying on Zenost Shortcodes for content presentation are at risk, especially those with multiple content contributors or public-facing websites with high traffic.

1. Immediate mitigation involves restricting Contributor-level access and above to trusted users only, minimizing the risk of malicious input injection. 2. Disable or remove the Zenost Shortcodes plugin until a vendor patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns in the 'link' and 'target' shortcode parameters. 4. Conduct thorough input validation and output escaping in any custom shortcode or plugin development to prevent similar issues. 5. Monitor site content regularly for unexpected or suspicious script injections, especially in pages using the button shortcode. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Once available, promptly apply vendor patches or updates addressing this vulnerability. 8. Consider deploying Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. 9. Audit user accounts for suspicious activity and enforce strong authentication mechanisms to reduce the risk of account compromise. 10. Backup website data regularly to enable recovery in case of successful exploitation.