CVE-2025-13897 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Client Testimonial Slider plugin for WordPress, developed by amu02aftab. This vulnerability exists in all versions up to and including 2.0 due to insufficient input sanitization and output escaping of the 'aft_testimonial_meta_name' custom field within the Client Information metabox. Specifically, authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into this field. Because the plugin fails to properly neutralize this input during page generation, the malicious script is stored and subsequently executed in the context of any administrative page that loads the injected content. This can lead to session hijacking, privilege escalation, or unauthorized actions performed on behalf of legitimate users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based (remote), requires low attack complexity, and privileges at the Contributor level, with no user interaction needed. The scope is changed because the vulnerability affects multiple users and potentially the entire site. No public exploits have been reported yet, but the vulnerability is publicly disclosed and documented in the CVE database. The plugin’s widespread use in WordPress sites makes this a relevant threat for many organizations relying on this CMS and plugin combination.

The primary impact of CVE-2025-13897 is the potential for stored XSS attacks that can compromise the confidentiality and integrity of affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of administrators or other privileged users who visit the compromised pages. This can lead to session hijacking, theft of authentication tokens, unauthorized changes to site content or configuration, and potential privilege escalation. While availability is not directly affected, the resulting compromise could lead to further attacks that degrade site functionality or trustworthiness. Organizations using the vulnerable plugin risk data breaches, defacement, or unauthorized administrative actions. Since WordPress powers a significant portion of the web, especially small to medium businesses and content-driven sites, the scope of impact is broad. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the low privilege threshold (Contributor) means many users could potentially exploit this. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities post-disclosure.

To mitigate CVE-2025-13897, organizations should first monitor for and apply any official patches or updates released by the plugin vendor immediately upon availability. In the absence of patches, restrict Contributor-level and higher access to trusted users only, minimizing the risk of malicious input injection. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'aft_testimonial_meta_name' field. Conduct regular audits of user roles and permissions to ensure least privilege principles are enforced. Employ security plugins that provide input sanitization and output escaping enhancements for WordPress. Additionally, site administrators can manually sanitize existing testimonial entries to remove potentially malicious scripts. Educate users with editing privileges about the risks of injecting untrusted content. Finally, consider disabling or replacing the vulnerable plugin with a secure alternative if immediate patching is not feasible.