CVE-2025-13896 is a stored cross-site scripting (XSS) vulnerability identified in the Social Feed Gallery Portfolio plugin for WordPress, developed by wpdiscover. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the 'id' parameter within the [igp-wp] shortcode. All plugin versions up to and including 1.3 are affected. The root cause is insufficient input sanitization and output escaping, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction, and scope change. The impact primarily affects confidentiality and integrity, with no direct availability impact. No public exploits have been reported yet, and no official patches are currently linked, indicating the need for vigilance and proactive mitigation. This vulnerability is particularly concerning in multi-user WordPress environments where contributors can add content but are not fully trusted administrators. The stored nature of the XSS means the malicious payload persists on the server and affects all users viewing the compromised content. The CWE-79 classification confirms the issue as a classic cross-site scripting flaw due to improper input validation and output encoding.

For European organizations, this vulnerability poses a significant risk to websites using the Social Feed Gallery Portfolio plugin on WordPress, especially those with multiple contributors managing content. Exploitation can lead to unauthorized script execution in the context of users’ browsers, potentially exposing session cookies, user credentials, or enabling further attacks such as phishing or privilege escalation. Confidentiality and integrity of user data and site content can be compromised, undermining trust and potentially leading to reputational damage. While availability is not directly impacted, the indirect consequences of compromised user accounts or defaced content can disrupt business operations. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and e-commerce, face heightened risks due to potential data breaches and non-compliance with GDPR. The requirement for Contributor-level access limits the attack surface but does not eliminate risk, as many organizations allow multiple contributors. The absence of known exploits in the wild provides a window for remediation, but the vulnerability’s presence in all plugin versions up to 1.3 means many sites could be exposed. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, increasing potential impact.

1. Immediately audit WordPress sites for the presence of the Social Feed Gallery Portfolio plugin and identify versions up to 1.3. 2. Restrict Contributor-level access strictly to trusted users, minimizing the number of users who can inject content via the vulnerable shortcode. 3. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'id' parameter in the [igp-wp] shortcode. 4. Monitor site content for unexpected or suspicious script injections, especially in pages utilizing the shortcode. 5. Disable or remove the plugin temporarily if feasible until an official patch or update is released by the vendor. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content review processes. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 8. Regularly check for vendor updates or security advisories and apply patches promptly once available. 9. Conduct penetration testing focusing on XSS vectors in WordPress environments to identify similar vulnerabilities. 10. Consider alternative plugins with better security track records if the vendor does not provide timely fixes.