CVE-2025-13900 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Popup Magic plugin for WordPress, specifically affecting all versions up to and including 1.0.0. The root cause is insufficient sanitization and escaping of the 'name' parameter within the [wppum_end] shortcode, which allows an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. This malicious script is stored persistently and executes in the context of any user who accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the user. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity, but requires authenticated access with at least Contributor rights, which is a moderate barrier. The CVSS v3.1 score of 6.4 reflects a medium severity rating, indicating partial impacts on confidentiality and integrity but no impact on availability. The vulnerability has been publicly disclosed as of January 2026, but no patches or known exploits have been reported yet. This vulnerability is significant because WordPress is widely used across Europe, and many organizations allow multiple contributors to manage content, increasing the risk of exploitation. Attackers could leverage this vulnerability to implant persistent malicious scripts that compromise site visitors or administrators, potentially leading to data theft or further compromise of the web environment.

For European organizations, the impact of CVE-2025-13900 can be considerable, especially for those relying on WordPress sites with multiple content contributors. Exploitation allows attackers to execute arbitrary scripts in the browsers of site visitors or administrators, potentially leading to theft of authentication cookies, defacement, or unauthorized actions performed with the victim’s privileges. This can result in data breaches, loss of user trust, and reputational damage. Organizations in sectors such as e-commerce, government, education, and media, which often use WordPress and have collaborative content management, are particularly at risk. The confidentiality and integrity of sensitive information could be compromised, although availability is not directly affected. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts increase risk. Additionally, the cross-site scripting can be used as a pivot point for more advanced attacks, including malware distribution or lateral movement within the network. The lack of a patch at the time of disclosure means organizations must rely on compensating controls until updates are available.

1. Immediately audit and restrict Contributor-level and higher user privileges to trusted personnel only, minimizing the risk of malicious shortcode injection. 2. Implement strict input validation and output encoding for any user-generated content, especially shortcodes, to prevent script injection. 3. Monitor WordPress logs and content for suspicious or unexpected shortcode usage, particularly the [wppum_end] shortcode and its 'name' parameter. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block attempts to inject or execute malicious scripts via this vulnerability. 5. Disable or remove the WP Popup Magic plugin if it is not essential, reducing the attack surface. 6. Stay alert for official patches or updates from the vendor and apply them promptly once available. 7. Educate content contributors about security best practices and the risks of injecting untrusted content. 8. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting script sources. 9. Regularly back up WordPress sites and test restoration procedures to recover quickly from potential compromises. 10. Conduct periodic security assessments and penetration tests focusing on WordPress plugins and user privilege configurations.