CVE-2025-13896 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Social Feed Gallery Portfolio plugin for WordPress, developed by wpdiscover. The vulnerability arises due to improper neutralization of input during web page generation, specifically through the 'id' parameter of the [igp-wp] shortcode. All versions up to and including 1.3 are affected. The root cause is insufficient input sanitization and output escaping, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS v3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and scope change due to potential impact on other users. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk in multi-user WordPress environments where contributors can add content. The vulnerability was published on December 6, 2025, with no official patch available at the time of reporting, necessitating immediate mitigation efforts by site administrators.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially resulting in session hijacking, data theft, defacement, or further exploitation of user accounts. Since the attack requires authenticated access with Contributor-level privileges, environments with multiple content contributors or editors are at higher risk. The compromise of user sessions can lead to unauthorized access to sensitive information or administrative functions, impacting confidentiality and integrity. The vulnerability does not directly affect availability but can damage organizational reputation and trust if exploited. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and small to medium enterprises, the impact could be significant if exploited at scale. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect other users beyond the attacker, amplifying its potential impact.

1. Immediately restrict Contributor-level access to trusted users only and review user roles to minimize unnecessary privileges. 2. Implement strict input validation and output escaping on the 'id' parameter if custom modifications are possible before an official patch is released. 3. Deploy a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting WordPress shortcodes. 4. Monitor logs and user activity for unusual behavior indicative of exploitation attempts, such as unexpected script injections or anomalous page content changes. 5. Educate content contributors about the risks of injecting untrusted content and enforce content submission policies. 6. Regularly update the plugin once a patch is released by the vendor. 7. Consider temporarily disabling or replacing the Social Feed Gallery Portfolio plugin if immediate patching is not feasible. 8. Use Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts.