CVE-2025-13900 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Popup Magic plugin for WordPress, specifically affecting all versions up to and including 1.0.0. The root cause is insufficient sanitization and escaping of user input in the 'name' parameter of the [wppum_end] shortcode. This flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored on the server and rendered whenever the page is accessed, any visitor or user viewing the infected page will execute the injected script in their browser context. The vulnerability does not require user interaction to trigger once the page is loaded, and the attack complexity is low, making exploitation feasible for attackers with limited privileges. The CVSS 3.1 score of 6.4 reflects a medium severity, with the impact primarily on confidentiality and integrity, as attackers could steal session cookies, perform actions on behalf of other users, or manipulate page content. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is particularly concerning for WordPress sites that allow multiple contributors or editors, as it expands the attack surface beyond administrators. Since WordPress is widely used across Europe, and the plugin is publicly available, organizations using WP Popup Magic should consider immediate mitigation steps to prevent exploitation.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, potentially resulting in session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of legitimate users. Given the stored nature of the XSS, the malicious payload persists and affects all visitors to the compromised pages, increasing the risk of widespread impact. Organizations with multi-user WordPress environments, especially those allowing Contributor-level access to external or less-trusted users, face elevated risks. The confidentiality of user data and integrity of website content are at risk, which could damage organizational reputation and lead to regulatory compliance issues under GDPR if personal data is compromised. Although availability is not directly impacted, the indirect consequences of trust erosion and potential legal penalties could be significant. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly given the low complexity of the vulnerability.

European organizations using the WP Popup Magic plugin should take the following specific actions: 1) Immediately audit WordPress sites to identify installations of WP Popup Magic and confirm the plugin version. 2) If an updated, patched version becomes available, prioritize upgrading to eliminate the vulnerability. 3) Until a patch is released, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 4) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'name' parameter in the [wppum_end] shortcode. 5) Conduct regular security reviews and scanning for injected scripts or anomalous content on affected pages. 6) Educate content contributors about safe input practices and the risks of injecting untrusted content. 7) Consider disabling or removing the WP Popup Magic plugin if it is not essential to reduce the attack surface. 8) Monitor security advisories from the plugin vendor and WordPress security communities for updates or patches. These targeted steps go beyond generic advice by focusing on permission management, input filtering, and proactive detection tailored to this specific vulnerability.