CVE-2025-13971 is a stored cross-site scripting (XSS) vulnerability identified in the TWW Protein Calculator plugin for WordPress, affecting all versions up to and including 1.0.24. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'Header' setting, which lacks sufficient input sanitization and output escaping. This flaw allows authenticated attackers with administrator-level privileges to inject arbitrary JavaScript code into pages within multi-site WordPress installations where the 'unfiltered_html' capability is disabled. When other users access these injected pages, the malicious scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is scoped to multi-site configurations, limiting its reach, and requires high privileges to exploit, as attackers must have admin access. The CVSS 3.1 base score is 4.4 (medium severity), reflecting the network attack vector, high attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits or active exploitation have been reported to date. The vulnerability was published on December 12, 2025, and no official patches have been linked yet, necessitating proactive mitigation by affected users.

For European organizations, this vulnerability poses a moderate risk primarily to those operating WordPress multi-site installations using the TWW Protein Calculator plugin. Successful exploitation could lead to unauthorized script execution in users' browsers, resulting in session hijacking, theft of sensitive information, or unauthorized administrative actions. This can compromise the confidentiality and integrity of organizational data and user accounts. Given the requirement for administrator-level access to exploit, the threat is more internal or targeted rather than opportunistic. However, in environments with multiple administrators or less stringent access controls, the risk increases. The impact is heightened in sectors with strict data protection regulations like GDPR, where data breaches or unauthorized access can lead to significant legal and financial consequences. Additionally, organizations relying on WordPress for public-facing or internal portals may suffer reputational damage if users are exposed to malicious scripts. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

1. Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege abuse. 2. Monitor and audit administrator activities regularly to detect any unauthorized changes to plugin settings, especially the 'Header' field in the TWW Protein Calculator plugin. 3. Implement web application firewalls (WAFs) with rules to detect and block suspicious script injections or unusual POST requests targeting plugin settings. 4. Temporarily disable or remove the TWW Protein Calculator plugin in multi-site environments until an official patch is released. 5. If disabling the plugin is not feasible, apply custom input validation and output escaping at the application or server level to sanitize the 'Header' input. 6. Educate administrators about the risks of XSS and safe plugin configuration practices. 7. Keep WordPress core and all plugins updated and subscribe to vendor security advisories for timely patch deployment. 8. Consider isolating multi-site installations or limiting their exposure to reduce attack surface. 9. Regularly back up site data to enable recovery in case of compromise.