CVE-2025-13969 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Reviews Sorted plugin for WordPress, developed by eurisko. This vulnerability affects all plugin versions up to and including 2.4.2. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the 'space' parameter within the [reviews-slider] shortcode. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize this shortcode. Because the malicious script is stored, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector over the network, low attack complexity, and requiring privileges but no user interaction. The scope is changed, as the vulnerability affects components beyond the attacker’s privileges due to script execution in other users’ browsers. No known public exploits have been reported yet. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that allow user-generated content or shortcode parameters. Since the plugin is widely used in WordPress sites for managing reviews, the vulnerability poses a risk to many websites that rely on it for displaying customer feedback or testimonials.

The impact of CVE-2025-13969 is significant for organizations using the Reviews Sorted plugin on WordPress sites. Successful exploitation can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and defacement or manipulation of website content. Because the vulnerability is stored XSS, the malicious payload persists and affects all visitors to the compromised pages, increasing the attack surface. This can damage brand reputation, lead to data breaches, and potentially facilitate further attacks such as privilege escalation or malware distribution. Organizations with Contributor-level users who can inject content are at particular risk, as insider threats or compromised contributor accounts can be leveraged. The vulnerability does not directly affect system availability but compromises confidentiality and integrity of user data and site content. Given WordPress’s global popularity, the threat can impact a wide range of sectors including ecommerce, media, education, and government websites that use this plugin for reviews or testimonials.

To mitigate CVE-2025-13969, organizations should immediately review and restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Administrators should audit existing content generated via the [reviews-slider] shortcode for suspicious or unexpected scripts and remove any malicious code. Until an official patch is released, consider disabling or removing the Reviews Sorted plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script payloads targeting the 'space' parameter. Encourage plugin developers or site maintainers to implement proper input sanitization and output escaping for all shortcode parameters, following WordPress security best practices. Regularly monitor logs and user activity for signs of exploitation attempts. Educate content contributors about the risks of injecting untrusted content. Once a patch or update is available from eurisko, apply it promptly to remediate the vulnerability permanently.