CVE-2025-13993 is a stored Cross-Site Scripting (XSS) vulnerability identified in the MailerLite – Signup forms (official) plugin for WordPress, specifically in versions up to and including 1.7.16. The vulnerability stems from insufficient input sanitization and output escaping of two parameters: 'form_description' and 'success_message'. These parameters are used to generate web pages dynamically, and the lack of proper neutralization allows an attacker with administrator-level access to inject arbitrary JavaScript code into these fields. Because the malicious script is stored persistently, it executes every time a user visits the affected page, potentially compromising the confidentiality and integrity of user sessions or data. The vulnerability requires the attacker to have high privileges (administrator or higher) and does not require user interaction to trigger the payload. The CVSS 3.1 base score is 5.5, reflecting medium severity, with an attack vector of network, low attack complexity, and privileges required at a high level. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. No known exploits have been reported in the wild as of the publication date. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS vulnerabilities. The plugin is widely used in WordPress environments for managing signup forms, making the vulnerability relevant to many websites that rely on MailerLite for email marketing and user engagement.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can lead to session hijacking, defacement, phishing, or the execution of arbitrary actions on behalf of users who visit the compromised pages. Since exploitation requires administrator privileges, the risk is somewhat mitigated by the need for high-level access; however, if an attacker gains or already has such access, they can leverage this vulnerability to escalate their control or compromise other users. The vulnerability affects the confidentiality and integrity of user data but does not impact availability. Organizations using the affected plugin may face reputational damage, data breaches, and regulatory compliance issues if user data is compromised. The scope of affected systems is broad, given the popularity of WordPress and MailerLite, potentially impacting websites globally. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially if attackers develop exploit code in the future.

To mitigate this vulnerability, organizations should immediately update the MailerLite – Signup forms plugin to a version where the vulnerability is patched once available. In the absence of an official patch, administrators should restrict access to the plugin’s configuration pages to only the most trusted users to minimize the risk of malicious input. Implementing Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the 'form_description' and 'success_message' parameters can provide temporary protection. Additionally, applying strict Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting script execution sources. Regularly auditing administrator activities and monitoring for unusual changes in form content can help detect exploitation attempts early. Developers and site administrators should also review and sanitize all user-generated content rigorously, employing secure coding practices to prevent similar vulnerabilities. Finally, educating administrators about the risks of stored XSS and the importance of privilege management can reduce the likelihood of exploitation.