CVE-2025-13963 is a stored cross-site scripting (XSS) vulnerability identified in the falselight FX Currency Converter plugin for WordPress, specifically in the 'fxcc_convert' shortcode. This vulnerability arises from improper neutralization of user-supplied input during web page generation, classified under CWE-79. The plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level permissions or higher, allowing them to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers within the context of the vulnerable site, potentially compromising session tokens, redirecting users, or performing unauthorized actions. The vulnerability affects all versions up to and including 0.2.0. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it a significant risk for WordPress sites using this plugin, especially those with multiple contributors. The stored XSS can lead to confidentiality and integrity impacts but does not affect availability. The vulnerability was published on December 12, 2025, with no patch links available yet, indicating that mitigation strategies need to be implemented promptly to reduce risk.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the falselight FX Currency Converter plugin on WordPress. The stored XSS can lead to session hijacking, defacement, phishing, or unauthorized actions performed in the context of the affected website. This can damage brand reputation, lead to data breaches involving user credentials or personal data, and potentially violate GDPR requirements concerning data protection and breach notification. Organizations in sectors with high web presence such as e-commerce, finance, and media are particularly vulnerable. Since the exploit requires contributor-level access, insider threats or compromised accounts increase risk. The impact on availability is minimal, but confidentiality and integrity of user data and site content can be significantly affected. The scope includes all users visiting the injected pages, potentially amplifying the attack's reach. European entities relying on WordPress plugins for currency conversion or financial data display should be vigilant, as attackers may leverage this vulnerability to target customers or internal users.

1. Immediately restrict contributor-level access to trusted users only and review existing user permissions to minimize risk exposure. 2. Monitor and audit all user-generated content, especially shortcode attributes related to 'fxcc_convert', for suspicious or unexpected input. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the plugin's shortcode parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. If possible, temporarily disable the FX Currency Converter plugin until an official patch or update is released by the vendor. 6. Educate content contributors about safe input practices and the risks of injecting untrusted code. 7. Regularly back up website data to enable quick restoration in case of compromise. 8. Monitor security advisories from the plugin vendor and WordPress security communities for updates or patches. 9. Consider alternative, well-maintained currency converter plugins with better security track records. 10. Conduct penetration testing focused on XSS vulnerabilities in user-contributed content areas to identify similar issues.