CVE-2025-13897 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Client Testimonial Slider plugin for WordPress, affecting all versions up to and including 2.0. The vulnerability stems from insufficient input sanitization and output escaping of the 'aft_testimonial_meta_name' custom field within the Client Information metabox. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into the testimonial meta name field. Because this input is stored and later rendered on administrative pages without proper neutralization, the malicious script executes whenever an administrator or other user accesses the affected page. This can lead to session hijacking, privilege escalation, or unauthorized actions within the WordPress admin interface. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a network attack vector, low attack complexity, required privileges (Contributor), no user interaction, and impacts on confidentiality and integrity with a scope change. No patches or fixes are currently available, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, highlighting improper neutralization of input during web page generation. Given the widespread use of WordPress and the popularity of testimonial slider plugins among small and medium enterprises, this vulnerability poses a moderate risk to affected sites, especially those with multiple contributors or editors.

For European organizations, this vulnerability can lead to unauthorized script execution within WordPress administrative pages, potentially compromising administrative credentials and site integrity. Attackers with Contributor-level access could leverage this to escalate privileges, steal sensitive information, or manipulate site content. This is particularly impactful for organizations relying on WordPress for corporate websites, intranets, or customer-facing portals where multiple users have editing rights. The stored nature of the XSS means the malicious payload persists and can affect multiple users over time. Confidentiality and integrity of administrative sessions are at risk, which could lead to broader compromise of the organization's web infrastructure. Although availability is not directly impacted, the resulting administrative compromise could facilitate further attacks causing downtime or data loss. The medium severity score reflects these risks but also the requirement for authenticated access, limiting exposure to internal or trusted users. Organizations with lax user privilege management or insufficient monitoring are at higher risk.

European organizations should immediately audit WordPress sites using the Client Testimonial Slider plugin to identify affected versions. Until a patch is released, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the 'aft_testimonial_meta_name' field. Employ input validation and output encoding plugins or custom code to sanitize user inputs in the testimonial meta fields. Regularly monitor administrative pages for unusual script injections or unexpected behavior. Educate content contributors about safe input practices and the risks of injecting scripts. Maintain strict access control policies and consider disabling or replacing the vulnerable plugin with a secure alternative. Stay alert for official patches or updates from the vendor and apply them promptly once available. Additionally, conduct periodic security assessments and penetration tests focusing on WordPress plugins and user privilege configurations.