CVE-2025-13904 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WPGancio plugin for WordPress, affecting all versions up to and including 1.12. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'gancio-event' shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector over the network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change due to affecting other users. Although no known exploits are currently reported in the wild, the vulnerability's presence in a widely used WordPress plugin makes it a significant risk for websites relying on WPGancio for event management or related functionality. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that accept user-generated content. The lack of available patches at the time of reporting necessitates immediate mitigation steps by administrators to reduce exposure.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the WPGancio plugin on WordPress platforms. Exploitation can lead to session hijacking, unauthorized actions performed under the context of legitimate users, and potential data leakage of sensitive information accessible via the victim's browser. This can damage organizational reputation, lead to loss of customer trust, and potentially violate data protection regulations such as GDPR if personal data is compromised. Since the attack requires authenticated contributor-level access, insider threats or compromised accounts increase risk. The persistent nature of the stored XSS means that once exploited, multiple users can be affected over time, amplifying the impact. Organizations with public-facing WordPress sites that use this plugin, especially those handling user data or e-commerce, are at greater risk. The medium severity score indicates that while the vulnerability is serious, it does not directly lead to full system compromise or availability loss but can be a stepping stone for further attacks.

1. Immediately audit WordPress sites for the presence of the WPGancio plugin and identify affected versions (up to 1.12). 2. If an official patch becomes available, apply it promptly. 3. In the absence of a patch, restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the 'gancio-event' shortcode parameters. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 6. Regularly monitor logs and user activity for signs of exploitation or unusual behavior. 7. Educate content contributors about safe input practices and the risks of injecting untrusted content. 8. Consider temporarily disabling the plugin if it is not critical to operations until a secure version is released. 9. Use security plugins that scan for stored XSS payloads and sanitize database content if possible. 10. Maintain regular backups to restore clean site states if compromise occurs.