CVE-2025-13889 is a stored cross-site scripting (XSS) vulnerability identified in the Simple Nivo Slider plugin for WordPress, maintained by tmus. This vulnerability affects all versions up to and including 0.5.6. The root cause is improper neutralization of input during web page generation, specifically through the 'id' shortcode parameter. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into pages by manipulating this parameter. Because the plugin fails to properly sanitize and escape this input, the malicious script is stored and executed in the context of any user who views the infected page. This can lead to session hijacking, theft of cookies, defacement, or further exploitation of the victim’s browser. The vulnerability does not require user interaction beyond page viewing and does not require administrator privileges, but it does require authenticated contributor-level access, which is a moderate barrier. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits are currently known, and no patches have been released at the time of publication. The vulnerability was reserved on 2025-12-02 and published on 2025-12-12. Given WordPress’s widespread use, this vulnerability poses a risk to many websites using the Simple Nivo Slider plugin, especially those with multiple contributors. The scope is limited to sites running the vulnerable plugin versions and allowing contributor-level access to untrusted users.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress-powered websites, potentially compromising user sessions, stealing sensitive information, or defacing websites. This can damage brand reputation, lead to data breaches, and cause regulatory compliance issues under GDPR if personal data is exposed. Organizations with collaborative content management environments where multiple users have contributor access are particularly at risk. Attackers exploiting this vulnerability could pivot to further attacks within the organization’s network or use compromised sites to distribute malware or phishing content. The impact is primarily on confidentiality and integrity of web content and user data, with no direct availability impact. Given the medium severity, the threat is significant but not critical, allowing some time for mitigation before widespread exploitation occurs. However, the lack of a patch increases risk until fixed.

1. Immediately audit and restrict contributor-level access to trusted users only, minimizing the number of accounts with such privileges. 2. Implement strict input validation and output escaping on all shortcode parameters, especially the 'id' parameter in the Simple Nivo Slider plugin, if custom modifications are possible. 3. Monitor website content and shortcode usage for suspicious or unexpected scripts or code injections. 4. Apply web application firewall (WAF) rules to detect and block attempts to inject malicious scripts via shortcode parameters. 5. Regularly update the Simple Nivo Slider plugin once the vendor releases a patch addressing this vulnerability. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Use Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting script execution sources. 8. Conduct periodic security scans and penetration tests focusing on WordPress plugins and user input handling.