CVE-2025-13969 is a stored cross-site scripting vulnerability identified in the Reviews Sorted plugin for WordPress, developed by eurisko. The vulnerability arises from improper neutralization of input during web page generation, specifically in the handling of the 'space' parameter within the [reviews-slider] shortcode. Versions up to and including 2.4.2 fail to adequately sanitize and escape user-supplied input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level, with attack vector being network-based, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change due to affecting other users. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for websites relying on this plugin. The stored XSS can compromise confidentiality and integrity by stealing cookies, tokens, or manipulating page content. The vulnerability is particularly concerning in multi-user environments where contributors can add content that is viewed by administrators or other users.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted websites, risking user session hijacking, data theft, and unauthorized actions performed under the guise of legitimate users. Organizations running WordPress sites with the Reviews Sorted plugin are at risk of attackers injecting malicious payloads that could compromise internal or customer data, damage reputation, and lead to regulatory non-compliance under GDPR due to data breaches. The impact is heightened in environments where Contributor-level users are numerous or where sensitive information is accessible via the affected pages. Additionally, the scope change means that the attack can affect users beyond the initial attacker, increasing potential damage. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure. European sectors with significant online presence, such as media, e-commerce, and public services, may face increased risk if they use this plugin.

Immediate mitigation involves updating the Reviews Sorted plugin to a version that addresses this vulnerability once available. Until a patch is released, organizations should restrict Contributor-level access to trusted users only and review existing content for injected scripts. Implementing a Web Application Firewall (WAF) with custom rules to detect and block malicious payloads targeting the 'space' parameter can reduce risk. Additionally, applying Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script execution sources. Regular security audits and monitoring for unusual script injections or user behavior are recommended. Administrators should educate contributors on safe input practices and consider disabling or replacing the vulnerable shortcode if feasible. Finally, backing up website data and having an incident response plan ready will help mitigate damage if exploitation occurs.