CVE-2025-13960 identifies a stored Cross-Site Scripting (XSS) vulnerability in the GPXpress plugin for WordPress, specifically in the handling of the 'gpxpress' shortcode. The vulnerability exists due to insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability affects all versions up to and including 1.3 of GPXpress. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low complexity, requires privileges of an authenticated contributor or above, does not require user interaction, and impacts confidentiality and integrity with a scope change (meaning the vulnerability can affect resources beyond the vulnerable component). No patches or exploit code are currently publicly available, but the vulnerability is published and should be treated seriously given the potential impact on WordPress sites using this plugin.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, defacing content, or performing unauthorized actions on behalf of users. This can lead to account takeover, data leakage, or further compromise of the site infrastructure. Since WordPress powers a significant portion of the web, and GPXpress is a plugin used for GPS data display, organizations relying on this plugin for content delivery or user engagement may face reputational damage, loss of user trust, and operational disruption. The vulnerability's exploitation scope includes all users who view the injected content, broadening the potential victim base. Although no known exploits are reported in the wild, the ease of exploitation and the common use of WordPress make this a credible threat to websites worldwide.

Organizations should immediately audit their WordPress installations for the presence of the GPXpress plugin and verify the version in use. Since no official patch is currently available, administrators should consider disabling or uninstalling the plugin until a fixed version is released. Restrict contributor-level and higher privileges to trusted users only, and review user roles to minimize the risk of malicious script injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs that may contain script tags or event handlers. Employ Content Security Policy (CSP) headers to restrict script execution sources and mitigate the impact of injected scripts. Regularly monitor site content for unauthorized changes and conduct security scans to detect XSS payloads. Once a patch is released, promptly update the plugin to the fixed version. Additionally, educate content contributors about safe input practices and the risks of injecting untrusted content.