CVE-2025-13896 is a stored cross-site scripting (XSS) vulnerability identified in the Social Feed Gallery Portfolio plugin for WordPress, developed by wpdiscover. This vulnerability exists due to improper neutralization of input during web page generation, specifically within the 'id' parameter of the [igp-wp] shortcode. Versions up to and including 1.3 fail to adequately sanitize and escape user-supplied input, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or phishing. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed because the vulnerability can affect other users beyond the attacker. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow shortcode parameters to influence page content dynamically.

The primary impact of CVE-2025-13896 is on the confidentiality and integrity of user data within affected WordPress sites. Successful exploitation allows an attacker with Contributor-level access to inject persistent malicious scripts that execute in the context of other users’ browsers, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of victims. Although availability is not directly impacted, the trustworthiness and security posture of the affected website can be severely undermined. For organizations, this can result in reputational damage, loss of customer trust, and potential compliance violations if user data is compromised. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by the need for an attacker to have at least Contributor privileges, but insider threats or compromised accounts increase the risk. The scope of impact extends beyond the attacker to all users who view the infected pages, amplifying the potential damage. Given the widespread use of WordPress and the popularity of social feed plugins, many organizations running this plugin are at risk if they do not update or mitigate the vulnerability promptly.

Organizations should immediately verify if they are using the Social Feed Gallery Portfolio plugin version 1.3 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators can mitigate risk by restricting Contributor-level access or higher to trusted users only, minimizing the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'id' parameter of the [igp-wp] shortcode can provide temporary protection. Additionally, site administrators should audit existing content for injected scripts and remove any suspicious entries. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Regularly monitoring logs for unusual activity and educating users about phishing and social engineering risks related to XSS attacks are also recommended. Finally, plugin developers should be encouraged to adopt secure coding practices, including proper input validation and output encoding, to prevent similar vulnerabilities.