CVE-2025-13900 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Popup Magic plugin for WordPress, affecting all versions up to and including 1.0.0. The root cause is insufficient input sanitization and output escaping of the 'name' parameter within the [wppum_end] shortcode. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers with the privileges of the affected site, potentially enabling session hijacking, privilege escalation, or defacement. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction, and the scope is changed as the vulnerability affects components beyond the attacker’s privileges. No patches or updates have been officially released at the time of this report, and no known exploits have been observed in the wild. The vulnerability is particularly concerning because Contributor-level access is commonly granted to users who can create or edit content, making exploitation feasible in many WordPress environments. The plugin’s widespread use in WordPress sites increases the potential attack surface.

The impact of CVE-2025-13900 can be significant for organizations using the WP Popup Magic plugin. Successful exploitation allows attackers to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts. Attackers may also perform actions on behalf of users, deface websites, or redirect visitors to malicious sites. Since the vulnerability requires Contributor-level access, it could be exploited by malicious insiders or compromised accounts with limited privileges, escalating their impact. The scope change means that the attacker can affect users with higher privileges than themselves, increasing the risk. Organizations relying on WordPress for critical business functions or handling sensitive user data face risks to confidentiality and integrity. Additionally, reputational damage and regulatory consequences may arise if customer data is compromised or if the site is used to distribute malware.

To mitigate CVE-2025-13900, organizations should immediately audit user roles and permissions to ensure that only trusted users have Contributor-level or higher access. Implement strict access controls and monitor for unusual content submissions or shortcode usage. Since no official patch is currently available, consider temporarily disabling or removing the WP Popup Magic plugin until a fix is released. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'name' parameter in the [wppum_end] shortcode. Conduct thorough input validation and output encoding on all user-supplied data in custom themes or plugins to reduce XSS risks. Regularly update WordPress core, plugins, and themes to incorporate security fixes. Educate content creators and administrators about the risks of XSS and the importance of reporting suspicious behavior. Finally, monitor logs and user activity for signs of exploitation attempts or successful attacks.