CVE-2025-13971 is a stored Cross-Site Scripting (XSS) vulnerability identified in the TWW Protein Calculator plugin for WordPress, affecting all versions up to and including 1.0.24. The flaw arises from improper neutralization of input during web page generation, specifically through insufficient sanitization and output escaping of the 'Header' setting input. This vulnerability is exploitable only in multi-site WordPress installations where the unfiltered_html capability is disabled, and requires the attacker to have administrator-level privileges. An authenticated administrator can inject arbitrary JavaScript code into the 'Header' field, which is then stored and executed in the context of any user visiting the affected page. This stored XSS can lead to session hijacking, privilege escalation, or unauthorized actions performed on behalf of users. The vulnerability does not require user interaction beyond visiting the compromised page. The CVSS v3.1 base score is 4.4, reflecting a medium severity due to the requirement for high privileges and the complexity of exploitation. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

The primary impact of CVE-2025-13971 is on the confidentiality and integrity of affected WordPress multi-site environments using the TWW Protein Calculator plugin. An attacker with administrator access can inject malicious scripts that execute in the browsers of users visiting the compromised pages, potentially stealing session cookies, performing unauthorized actions, or defacing content. While availability is not directly affected, the breach of trust and potential data leakage can have significant reputational and operational consequences. Organizations relying on multi-site WordPress setups with this plugin are at risk, especially if administrator accounts are compromised or insufficiently protected. The requirement for administrator privileges limits the scope of exploitation but does not eliminate risk, as insider threats or compromised admin credentials could be leveraged. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability remains a concern for environments with high-value targets or sensitive data.

1. Apply patches or updates from the vendor as soon as they become available to address the input sanitization and output escaping issues in the 'Header' setting. 2. Until a patch is released, restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Review and harden WordPress multi-site configurations, particularly the use of the unfiltered_html capability, to minimize exposure. 4. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the plugin. 5. Conduct regular security audits and code reviews of installed plugins to identify and remediate similar vulnerabilities proactively. 6. Educate administrators about the risks of stored XSS and safe input handling practices. 7. Monitor logs and user activity for signs of exploitation or unusual behavior related to the plugin. 8. Consider disabling or replacing the TWW Protein Calculator plugin if it is not essential to reduce attack surface.