CVE-2025-13848 Overview
The STM Gallery plugin for WordPress versions up to and including 0.9 contains a Stored Cross-Site Scripting (XSS) vulnerability in the composicion parameter. Due to insufficient input sanitization and output escaping, authenticated attackers with Contributor-level access or higher can inject malicious web scripts into WordPress pages. These scripts execute automatically whenever any user accesses the compromised page, enabling session hijacking, credential theft, and unauthorized actions.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the context of any user viewing infected pages, potentially compromising administrator accounts and enabling full site takeover.
Affected Products
- STM Gallery WordPress Plugin version 0.9 and earlier
- WordPress installations with STM Gallery plugin enabled
- Sites allowing Contributor-level or higher user registrations
Discovery Timeline
- 2026-01-07 - CVE CVE-2025-13848 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-13848
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability stems from improper handling of user-supplied input within the STM Gallery plugin's core functionality. The composicion parameter accepts user input without adequate validation, allowing attackers to embed JavaScript or other executable code directly into WordPress pages. Unlike Reflected XSS, the malicious payload is permanently stored in the database and served to all users who view the affected page.
The vulnerability requires authentication with at least Contributor-level privileges, which limits the attack surface but still presents significant risk on sites that allow user registrations or have multiple content contributors. Once exploited, the injected scripts can capture session cookies, redirect users to malicious sites, deface content, or execute API requests as the victim user—including administrative actions if an administrator views the compromised page.
Root Cause
The root cause lies in the plugin's failure to properly sanitize input received through the composicion parameter and escape output when rendering content. The vulnerable code at line 121 of stmgallery_v.0.9.php directly processes user input without utilizing WordPress's built-in sanitization functions such as sanitize_text_field() for input or esc_html() and esc_attr() for output. This allows script tags and event handlers to pass through unmodified and execute in users' browsers.
Attack Vector
The attack requires network access and authenticated access with Contributor-level permissions or higher. An attacker would craft a gallery entry containing malicious JavaScript within the composicion parameter. When this content is saved and subsequently rendered on the frontend, the browser interprets and executes the embedded script. The attacker can target specific high-value users by creating content they are likely to view, or broadly compromise all site visitors if the malicious gallery appears on public pages.
The exploitation flow involves creating or editing gallery content, inserting XSS payloads such as script tags or event handlers into the vulnerable parameter, and waiting for victims to view the affected page. Payloads commonly steal session tokens, inject keyloggers, or perform Cross-Site Request Forgery attacks against the victim's authenticated session.
Detection Methods for CVE-2025-13848
Indicators of Compromise
- Unusual JavaScript code appearing in STM Gallery content or database entries
- Unexpected <script> tags or event handlers (e.g., onerror, onload) in gallery composicion fields
- Browser console errors or unexpected network requests when viewing gallery pages
- Reports of users being redirected or experiencing unusual behavior on gallery pages
Detection Strategies
- Audit WordPress database for gallery entries containing script tags or JavaScript event handlers
- Monitor web application firewall (WAF) logs for XSS payload patterns in POST requests to gallery endpoints
- Review access logs for suspicious activity from Contributor or higher-level accounts
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
Monitoring Recommendations
- Enable SentinelOne Singularity platform for real-time web application monitoring
- Configure WordPress security plugins to alert on suspicious content modifications
- Set up database query monitoring for script injection patterns in gallery tables
- Implement browser-based XSS detection through CSP violation reporting
How to Mitigate CVE-2025-13848
Immediate Actions Required
- Update STM Gallery plugin to a patched version when available from the WordPress plugin repository
- Review existing gallery content for malicious script injections and sanitize affected entries
- Restrict Contributor-level access to trusted users only until the patch is applied
- Implement a Web Application Firewall (WAF) rule to filter XSS payloads in the composicion parameter
Patch Information
No official patch has been confirmed at the time of this writing. Organizations should monitor the WordPress Plugin Repository and the Wordfence Threat Intelligence Report for updates on remediation. Until a patch is released, apply the workarounds below to reduce exposure.
Workarounds
- Disable the STM Gallery plugin entirely if not critical to site functionality
- Implement server-side input validation to strip HTML tags and JavaScript from the composicion parameter
- Add Content Security Policy headers to prevent inline script execution: Content-Security-Policy: script-src 'self'
- Restrict user registrations to prevent untrusted users from obtaining Contributor access
# Add CSP header in Apache .htaccess
Header set Content-Security-Policy "script-src 'self'; object-src 'none'"
# Or in nginx configuration
add_header Content-Security-Policy "script-src 'self'; object-src 'none'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
