CVE-2025-13903 is a stored Cross-Site Scripting (XSS) vulnerability identified in the PullQuote plugin for WordPress, developed by ctietze. The vulnerability exists in all versions up to and including 1.0 due to insufficient sanitization and escaping of user-supplied input within the 'pullquote' shortcode attributes. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. Although no known exploits are reported in the wild, the vulnerability's presence in a popular CMS plugin makes it a significant risk. The issue stems from the plugin's failure to properly sanitize and escape shortcode attributes before rendering them on the page, which is a common vector for stored XSS in WordPress plugins. The vulnerability affects the confidentiality and integrity of the affected sites but does not impact availability. The plugin author or maintainers should release a patch to properly sanitize inputs and escape outputs. Until then, site administrators should consider disabling the plugin or restricting contributor permissions to trusted users only.

The primary impact of CVE-2025-13903 is the compromise of confidentiality and integrity of WordPress sites using the PullQuote plugin. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions such as content modification, or distribution of malware. This can damage the reputation of affected organizations, lead to data breaches, and undermine user trust. Since WordPress powers a significant portion of websites globally, and PullQuote is a plugin used to enhance content presentation, many organizations including blogs, media sites, and corporate portals could be affected. The vulnerability requires authenticated access but no user interaction, making it easier for insiders or compromised contributor accounts to exploit. The scope change in CVSS indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire site. Although availability is not directly impacted, the indirect effects such as site defacement or blacklisting by search engines can cause operational disruptions. Organizations with large contributor bases or less stringent access controls are at higher risk.

1. Apply patches or updates from the PullQuote plugin developer as soon as they become available to ensure proper input sanitization and output escaping. 2. In the absence of an official patch, temporarily disable the PullQuote plugin to eliminate the attack vector. 3. Restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection by insiders or compromised accounts. 4. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting shortcode attributes. 5. Conduct regular security audits and code reviews of installed plugins to identify and remediate insecure coding practices. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Monitor website logs and user activity for suspicious behavior indicative of exploitation attempts. 8. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 9. Backup website data regularly to enable quick recovery in case of compromise. 10. Consider using security plugins that scan for known vulnerabilities and malicious code injections.