CVE-2025-13904 identifies a stored cross-site scripting vulnerability in the WPGancio plugin for WordPress, specifically in the 'gancio-event' shortcode. The root cause is insufficient sanitization and escaping of user-supplied attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any users who visit the infected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.12. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low complexity, requires privileges equivalent to contributor access, does not require user interaction, and impacts confidentiality and integrity with a scope change. No patches or official fixes have been released at the time of publication, and no exploits have been observed in the wild. However, given the widespread use of WordPress and the plugin, this vulnerability presents a credible threat to many websites. The vulnerability is categorized under CWE-79, which is a common and well-understood class of web application security issues related to improper neutralization of input during web page generation.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the vulnerability affects the confidentiality and integrity of user data and site content, it can damage organizational reputation and lead to data breaches. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire website and its users. Organizations relying on the WPGancio plugin for event management or other functionalities are at risk, especially if contributor roles are assigned to untrusted users. The lack of user interaction requirement means that any user visiting an infected page is vulnerable, increasing the attack surface. Although no known exploits are reported yet, the medium severity and ease of exploitation make it a credible threat that could be leveraged in targeted or opportunistic attacks.

1. Immediately audit and restrict contributor-level access on WordPress sites using the WPGancio plugin to trusted users only, minimizing the risk of malicious script injection. 2. Implement strict input validation and output encoding for all user-supplied data in the 'gancio-event' shortcode, ensuring that special characters are properly escaped to prevent script injection. 3. Monitor site content for unexpected or suspicious scripts, especially in pages using the vulnerable shortcode, using automated scanning tools or manual review. 4. Disable or remove the WPGancio plugin temporarily if contributor access cannot be tightly controlled until an official patch is released. 5. Keep WordPress core and all plugins updated regularly, and apply security patches promptly once available for this vulnerability. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website, mitigating the impact of potential XSS payloads. 7. Educate site administrators and contributors about the risks of XSS and safe content management practices. 8. Use security plugins that can detect and block XSS attacks or anomalous behavior related to script injection. These measures collectively reduce the likelihood and impact of exploitation beyond generic advice.