CVE-2025-13898 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Ultra Skype Button plugin for WordPress, developed by sozan45. This vulnerability exists in all versions up to and including 1.0 due to insufficient sanitization and escaping of the 'btn_id' parameter within the [ultra_skype] shortcode. The flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into WordPress pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, meaning the vulnerability can affect components beyond the initially compromised plugin. No patches or known exploits are currently available, and the vulnerability was published on December 6, 2025. The vulnerability primarily threatens WordPress sites using this plugin, especially those with multiple contributors who can submit content containing the malicious shortcode parameter.

For European organizations, this vulnerability poses a risk to WordPress-based websites that utilize the Ultra Skype Button plugin. The ability for contributors to inject persistent malicious scripts can compromise user sessions, steal sensitive information, or manipulate site content, undermining trust and potentially violating data protection regulations such as GDPR. The impact on confidentiality and integrity is significant, as attackers can execute arbitrary scripts in the context of the victim’s browser. Although availability is not directly affected, reputational damage and potential legal consequences from data breaches could be severe. Organizations with collaborative content creation workflows are particularly vulnerable, as contributor-level users are sufficient to exploit this flaw. The absence of a patch increases exposure time, making proactive mitigation critical. Attackers could leverage this vulnerability to target European customers or employees accessing affected sites, especially in sectors like e-commerce, media, and public services where WordPress is prevalent.

1. Immediately audit WordPress sites to identify installations of the Ultra Skype Button plugin and assess usage of the [ultra_skype] shortcode. 2. Restrict Contributor-level user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 3. Implement custom input validation and output escaping for the 'btn_id' parameter via WordPress hooks or security plugins to sanitize inputs before rendering. 4. Monitor site content for suspicious shortcode parameters or unexpected script injections using web application firewalls (WAF) and security scanners. 5. Disable or remove the Ultra Skype Button plugin if it is not essential to site functionality until an official patch is released. 6. Educate content contributors about the risks of injecting untrusted code and enforce strict content submission policies. 7. Keep WordPress core and all plugins updated and subscribe to vulnerability advisories for timely patch deployment. 8. Consider deploying Content Security Policy (CSP) headers to restrict script execution sources as an additional defense layer.