CVE-2025-13971 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the TWW Protein Calculator plugin for WordPress. This vulnerability exists in all versions up to and including 1.0.24 due to insufficient sanitization and escaping of user input in the 'Header' setting. Specifically, authenticated users with administrator privileges on multisite WordPress installations where the unfiltered_html capability is disabled can inject arbitrary JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session tokens, manipulate page content, or perform actions on behalf of users. The vulnerability requires high privileges (administrator) and does not require user interaction beyond visiting the affected page. It affects only multisite WordPress setups with unfiltered_html disabled, limiting its exposure. The CVSS 3.1 base score is 4.4 (medium), reflecting the need for administrator access and the limited impact on confidentiality and integrity, with no availability impact. No patches or known exploits are currently reported, but the vulnerability poses a risk in environments where the plugin is deployed and multisite configurations are used.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress multisite environments, potentially compromising user sessions, defacing websites, or enabling further attacks such as privilege escalation or data theft. Although exploitation requires administrator access, insider threats or compromised admin accounts could leverage this vulnerability to escalate attacks. The impact on confidentiality and integrity is limited but non-negligible, especially for organizations relying on WordPress multisite for managing multiple domains or sub-sites. Given the widespread use of WordPress in Europe, particularly in sectors such as education, government, and SMEs, the vulnerability could affect a significant number of sites if the plugin is installed. The lack of availability impact reduces the risk of service disruption, but reputational damage and data leakage remain concerns. Organizations with strict data protection requirements under GDPR must consider the potential for personal data exposure through XSS attacks.

European organizations should take several specific steps to mitigate this vulnerability: 1) Immediately audit WordPress multisite installations to identify the presence of the TWW Protein Calculator plugin and verify the version in use. 2) Restrict administrator privileges to trusted personnel only, minimizing the risk of malicious or accidental exploitation. 3) Where possible, enable the unfiltered_html capability safely to reduce the attack surface, or alternatively, implement strict input validation and output escaping for the 'Header' setting manually if plugin updates are unavailable. 4) Monitor multisite environments for unusual script injections or anomalous administrator activity using security plugins or web application firewalls (WAFs) with XSS detection capabilities. 5) Develop and test incident response plans for potential XSS incidents, including user session invalidation and forensic analysis. 6) Engage with the plugin vendor or community to obtain patches or updates as they become available, and apply them promptly. 7) Educate administrators on secure plugin configuration and the risks of stored XSS in multisite contexts.