CVE-2025-13731 Overview
CVE-2025-13731 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Nexter Extension – Site Enhancements Toolkit plugin for WordPress. The vulnerability exists in the plugin's nxt-year shortcode functionality in all versions up to and including 4.4.1. Due to insufficient input sanitization and output escaping, authenticated attackers with Contributor-level access or above can inject arbitrary web scripts into pages that execute whenever any user accesses the compromised page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the context of victim browsers, potentially leading to session hijacking, credential theft, site defacement, and redirection to malicious sites.
Affected Products
- Nexter Extension – Site Enhancements Toolkit plugin for WordPress versions up to and including 4.4.1
- WordPress sites using vulnerable Nexter Extension versions with Contributor or higher role access
- Sites where untrusted users have Contributor-level WordPress privileges
Discovery Timeline
- 2025-12-02 - CVE-2025-13731 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-13731
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The Nexter Extension plugin fails to properly sanitize user-supplied input and escape output in the nxt-year shortcode handler located in class-nexter-load-ext.php. The CVSS 3.1 score is 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.
Key characteristics of this vulnerability:
- Attack Vector: Network-based exploitation
- Attack Complexity: Low - no special conditions required
- Privileges Required: Low - Contributor-level access is sufficient
- User Interaction: None required for script execution
- Scope: Changed - impacts resources beyond the vulnerable component
- EPSS Score: 0.034% probability of exploitation (9.491 percentile)
Root Cause
The root cause lies in the shortcode processing logic within class-nexter-load-ext.php. The plugin processes shortcode attributes without applying proper input sanitization functions such as sanitize_text_field() or wp_kses(). Additionally, when rendering the shortcode output, the plugin fails to apply output escaping functions like esc_html() or esc_attr(), allowing injected HTML and JavaScript to be rendered directly in the page context.
The vulnerable code paths are documented in the WordPress Plugin Trac at lines 66 and 136 of class-nexter-load-ext.php.
Attack Vector
An attacker with Contributor-level access or above can craft a malicious post or page containing the nxt-year shortcode with injected JavaScript payload within shortcode attributes. When the page is viewed by any user (including administrators), the malicious script executes in their browser session.
The attack flow follows this pattern:
- Attacker authenticates to WordPress with Contributor or higher privileges
- Attacker creates or edits a post/page containing the nxt-year shortcode with malicious payload
- The post/page is published or saved for review
- Victim users visiting the page trigger the stored XSS payload
- Malicious scripts execute with the victim's session context
For technical details on the vulnerable code and patch changes, see the WordPress Plugin Trac changeset comparing versions 4.4.1 to 4.4.2.
Detection Methods for CVE-2025-13731
Indicators of Compromise
- Unexpected JavaScript code within posts or pages containing nxt-year shortcode
- Posts created by Contributor-level users containing suspicious shortcode attributes
- Browser console errors or unexpected script execution on pages with Nexter Extension shortcodes
- Server logs showing unusual POST requests to WordPress admin creating or editing content with shortcode payloads
Detection Strategies
Web Application Firewall (WAF) Rules:
Configure WAF rules to detect and block requests containing potentially malicious patterns within shortcode attributes, particularly event handlers (onerror, onload, onclick) and script tags within content creation requests.
WordPress Security Plugin Monitoring:
Deploy security plugins that monitor for:
- Changes to post content containing script elements
- Shortcode attribute anomalies
- Content modifications by users with elevated privileges
Log Analysis:
Review WordPress activity logs for:
- Post creation/modification by Contributor accounts
- Content containing the nxt-year shortcode with unusual parameters
- Multiple content edits in short timeframes from lower-privileged accounts
Monitoring Recommendations
Organizations should implement continuous monitoring for content changes across their WordPress installations. Enable audit logging to track all post and page modifications, particularly those involving shortcodes. Consider implementing Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks. SentinelOne Singularity XDR provides endpoint visibility and can detect suspicious browser-based script execution patterns that may indicate XSS exploitation.
How to Mitigate CVE-2025-13731
Immediate Actions Required
- Update Nexter Extension – Site Enhancements Toolkit plugin to version 4.4.2 or later immediately
- Audit existing posts and pages for malicious content injected via the nxt-year shortcode
- Review and restrict Contributor-level access to only trusted users
- Consider temporarily disabling the Nexter Extension plugin until patching is complete
Patch Information
The vendor has released version 4.4.2 which addresses this vulnerability by implementing proper input sanitization and output escaping in the nxt-year shortcode handler. The patch changeset is available in the WordPress Plugin Trac and shows the modifications made to class-nexter-load-ext.php to remediate the XSS vulnerability.
Update via WordPress Admin:
- Navigate to Plugins → Installed Plugins
- Locate "Nexter Extension – Site Enhancements Toolkit"
- Click "Update Now" to install version 4.4.2 or later
External References:
Workarounds
If immediate patching is not possible, implement the following temporary mitigations:
- Restrict User Privileges: Demote untrusted Contributor accounts to Subscriber level until the patch is applied
- Disable Shortcode Processing: If the nxt-year shortcode is not essential, consider removing or disabling it through custom code
- Content Security Policy: Implement strict CSP headers to reduce the impact of XSS attacks
- WAF Protection: Deploy web application firewall rules to filter malicious shortcode inputs
# Example Content-Security-Policy header for Apache (.htaccess)
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
