CVE-2025-13899 identifies a stored Cross-Site Scripting (XSS) vulnerability in the pntrinh TR Timthumb plugin for WordPress, present in all versions up to and including 1.0.4. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of shortcode attributes. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via shortcode attributes. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability does not require user interaction beyond visiting the compromised page, and the attacker must have at least Contributor-level access, which is a relatively low privilege level in WordPress. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the pntrinh TR Timthumb plugin on WordPress. Successful exploitation can lead to the injection of malicious scripts that compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of users. This can damage organizational reputation, lead to data breaches, and potentially facilitate further attacks such as phishing or malware distribution. Since Contributor-level access is sufficient for exploitation, insider threats or compromised accounts with limited privileges could be leveraged. The impact is heightened for organizations relying on WordPress for customer-facing or internal portals, especially those handling personal data under GDPR regulations. The vulnerability does not directly affect availability but compromises confidentiality and integrity, which can have regulatory and operational consequences.

European organizations should immediately audit their WordPress installations to identify the presence of the pntrinh TR Timthumb plugin and verify the version in use. Since no official patch links are provided, administrators should consider the following mitigations: 1) Restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. 2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute patterns or script injections. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 4) Regularly monitor logs and user activity for unusual shortcode usage or content changes. 5) Consider disabling or replacing the vulnerable plugin with a secure alternative if immediate patching is not available. 6) Educate content contributors on secure content practices and the risks of injecting untrusted code. 7) Stay updated with vendor advisories for any forthcoming patches or security updates.