CVE-2025-13907 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the CSS3 Buttons plugin for WordPress developed by tunilame. This vulnerability affects all versions up to and including 0.1. The root cause is insufficient sanitization and escaping of user-supplied input within the 'button' shortcode attributes. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. Because the injected scripts are stored persistently, they execute every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated contributor or above), no user interaction, and a scope change. The impact includes limited confidentiality and integrity loss but no availability impact. No patches or official fixes are currently listed, and no known exploits have been observed in the wild. The vulnerability is significant because WordPress powers a large portion of the web, and plugins are common attack vectors. The requirement for contributor-level access limits exploitation to insiders or compromised accounts, but the persistent nature of the XSS increases risk to all site visitors.

The primary impact of CVE-2025-13907 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the CSS3 Buttons plugin. This can lead to session hijacking, theft of sensitive user data such as cookies or credentials, unauthorized actions performed on behalf of users, and defacement or manipulation of site content. The vulnerability compromises the confidentiality and integrity of the affected sites and their users. Although availability is not directly impacted, reputational damage and loss of user trust can have significant business consequences. Organizations relying on this plugin face risks of insider threats or compromised contributor accounts being leveraged for attacks. The medium severity score reflects that exploitation requires some privileges but can be performed remotely without user interaction, increasing the attack surface. The widespread use of WordPress globally means many organizations, especially those with active content contributors, are at risk if they use this plugin.

1. Immediate mitigation involves restricting contributor-level access to trusted users only, minimizing the risk of malicious insiders or compromised accounts exploiting the vulnerability. 2. Disable or remove the CSS3 Buttons plugin until an official patch or update is released by the vendor. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting the 'button' shortcode attributes. 4. Use security plugins that sanitize and validate shortcode inputs or enforce strict content policies. 5. Monitor user activity logs for suspicious contributor behavior or unexpected content changes. 6. Educate content contributors about safe input practices and the risks of injecting untrusted code. 7. Once a patch is available, promptly apply updates to the plugin to remediate the vulnerability. 8. Conduct regular security audits of WordPress plugins and user permissions to identify and mitigate similar risks proactively. 9. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site, reducing the impact of potential XSS payloads.