CVE-2025-13731: Nexter Extension WordPress XSS Vulnerability

CVE-2025-13731 Overview

CVE-2025-13731 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Nexter Extension – Site Enhancements Toolkit plugin for WordPress. The flaw exists in the plugin's nxt-year shortcode across all versions up to and including 4.4.1. The root cause is insufficient input sanitization and output escaping in the shortcode handler. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into pages. The injected script executes in the browser context of any user who views an affected page. The vulnerability is categorized under CWE-79.

Critical Impact
Contributor-level users can persist arbitrary JavaScript into published WordPress pages, enabling session theft, redirection, and administrator account takeover when staff view the affected content.

Affected Products

Nexter Extension – Site Enhancements Toolkit plugin for WordPress
All versions up to and including 4.4.1
Fixed in version 4.4.2

Discovery Timeline

2025-12-02 - CVE-2025-13731 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-13731

Vulnerability Analysis

The Nexter Extension plugin registers a shortcode named nxt-year that renders user-supplied attribute values into page output. The shortcode handler, defined in include/class-nexter-load-ext.php, fails to apply adequate sanitization on incoming attributes and does not escape values when emitting them into HTML. An authenticated user with Contributor privileges can embed the shortcode with crafted attribute payloads inside post content. When the post is rendered, the unsanitized attributes are concatenated directly into the HTML response.

Because WordPress Contributors can author posts that administrators and editors review, the injected script frequently executes inside a privileged browser session. This expands the impact beyond standard reflected XSS to include administrative actions on behalf of the victim.

Root Cause

The plugin code at lines 66 and 136 of class-nexter-load-ext.php processes shortcode attributes without invoking WordPress sanitization functions such as sanitize_text_field() or escaping helpers like esc_attr() and esc_html(). The upstream changeset between versions 4.4.1 and 4.4.2 adds the missing escaping calls. See the WordPress Changeset Analysis 4.4.1 to 4.4.2 for the diff.

Attack Vector

An attacker authenticates as a Contributor or higher-privileged WordPress user. The attacker creates or edits a post containing the nxt-year shortcode with malicious attribute values that close existing HTML context and inject a <script> payload. After the post is published or previewed, any visitor — including authenticated administrators — triggers script execution. Refer to the Wordfence Vulnerability Report and WordPress Code Reference - Line 136 for technical specifics.

Detection Methods for CVE-2025-13731

Indicators of Compromise

Posts or pages authored by Contributor-level accounts containing nxt-year shortcodes with unusually long or HTML-encoded attribute values.
Outbound requests from administrator browsers to unfamiliar domains shortly after viewing posts that contain the nxt-year shortcode.
New administrator accounts, modified user roles, or unexpected plugin installations following Contributor activity.
WordPress audit log entries showing draft submissions immediately followed by editor previews from privileged accounts.

Detection Strategies

Query the wp_posts table for content matching [nxt-year combined with characters such as <, ", onerror, or javascript:.
Inspect rendered pages for <script> tags or event handler attributes appearing within the markup produced by the shortcode.
Correlate Contributor account post-creation events with subsequent admin-session anomalies in web server access logs.

Monitoring Recommendations

Enable a web application firewall ruleset that flags shortcode attributes containing HTML metacharacters.
Monitor the installed plugin inventory and alert when sites continue to run Nexter Extension at version 4.4.1 or earlier.
Forward WordPress audit logs and reverse-proxy access logs to a centralized analytics platform for correlation across editor sessions.

How to Mitigate CVE-2025-13731

Immediate Actions Required

Update the Nexter Extension – Site Enhancements Toolkit plugin to version 4.4.2 or later on every WordPress instance.
Audit all posts and pages that use the nxt-year shortcode and remove any entries containing scriptable content.
Review Contributor, Author, and Editor accounts and revoke privileges that are no longer required.
Rotate administrator passwords and active session tokens if untrusted Contributor activity is detected.

Patch Information

The vendor addressed the issue in Nexter Extension version 4.4.2 by adding proper sanitization and output escaping to the nxt-year shortcode handler in include/class-nexter-load-ext.php. Site operators should apply this update through the WordPress plugin manager or by deploying the updated package from the WordPress plugin repository.

Workarounds

Restrict shortcode usage by removing the nxt-year shortcode registration through a custom mu-plugin until the update is applied.
Limit Contributor and Author roles to trusted users only, and require editorial review before previewing untrusted drafts in privileged browser sessions.
Deploy a WordPress-focused web application firewall with virtual patching for the Wordfence Vulnerability Report signature covering this CVE.

bash

# Update Nexter Extension via WP-CLI on affected hosts
wp plugin update nexter-extension --version=4.4.2
wp plugin get nexter-extension --field=version