CVE-2025-13967 is a stored cross-site scripting vulnerability identified in the Woodpecker for WordPress plugin, specifically in versions up to and including 3.0.4. The vulnerability stems from insufficient input sanitization and output escaping of the 'form_name' parameter within the [woodpecker-connector] shortcode. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user visits the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change affecting confidentiality and integrity but not availability. No patches or exploit code are currently publicly available, but the flaw represents a significant risk given the widespread use of WordPress and the plugin's role in form management. The vulnerability was reserved in December 2025 and published in January 2026 by Wordfence.

The primary impact of this vulnerability is on the confidentiality and integrity of data within affected WordPress sites. Exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, enabling theft of session cookies, credentials, or other sensitive information. It can also lead to defacement, phishing attacks, or unauthorized actions performed with the victim's privileges. Since the vulnerability requires Contributor-level access, it limits exploitation to insiders or compromised accounts with elevated privileges, but such access is common in collaborative content management environments. The persistent nature of stored XSS means that all visitors to the injected page are at risk, potentially amplifying the damage. Although availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences for organizations. Given WordPress's global popularity, many websites could be affected, especially those using the Woodpecker plugin for lead forms and marketing.

Organizations should immediately audit their WordPress installations for the presence of the Woodpecker for WordPress plugin and verify the version in use. Since no official patch links are provided, administrators should consider the following specific mitigations: 1) Restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of insider exploitation. 2) Implement web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'form_name' parameter in the [woodpecker-connector] shortcode. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Regularly monitor logs and user activity for suspicious behavior indicative of exploitation attempts. 5) If feasible, temporarily disable or remove the Woodpecker plugin until a security update is released. 6) Educate content contributors about the risks of injecting untrusted input into form fields. 7) Follow vendor communications closely for patches or updates addressing this vulnerability and apply them promptly once available.