CVE-2025-13963 is a stored cross-site scripting vulnerability identified in the falselight FX Currency Converter plugin for WordPress, affecting all versions up to and including 0.2.0. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the plugin’s 'fxcc_convert' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts using the shortcode. When other users visit these compromised pages, the malicious scripts execute in their browsers, potentially allowing attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or escalate privileges. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common and impactful web security issue. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low complexity, requiring privileges but no user interaction, and a scope change due to affecting other users. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all plugin versions up to 0.2.0, which suggests that users should either update to a fixed version once available or apply alternative mitigations. Given WordPress’s widespread use, especially in e-commerce and content-heavy sites, this vulnerability poses a significant risk to site integrity and user security.

The impact of CVE-2025-13963 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and privilege escalation. This can result in compromised user accounts, defacement, or further malware distribution. Since the vulnerability requires contributor-level access, attackers must first gain some level of authenticated access, which may be feasible through social engineering or exploiting other vulnerabilities. The scope of impact extends to all users who visit the infected pages, increasing the potential damage. Organizations relying on the FX Currency Converter plugin for financial or transactional content could face reputational damage, data breaches, and regulatory consequences if exploited. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities once disclosed.

To mitigate CVE-2025-13963, organizations should first check for and apply any official patches or updates from the falselight plugin vendor once released. Until a patch is available, administrators should consider disabling or removing the FX Currency Converter plugin to eliminate the attack surface. Restrict contributor-level access strictly to trusted users and audit existing user permissions to minimize the risk of malicious shortcode injection. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute inputs or script injections. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly scan WordPress sites for injected malicious content using security plugins or external tools. Educate content contributors about safe input practices and monitor site content for unexpected changes. Finally, maintain comprehensive backups and incident response plans to quickly recover from any compromise.