CVE-2025-13031

The WPeMatico RSS Feed Fetcher plugin for WordPress, prior to version 2.8.13, contains a stored cross-site scripting (XSS) vulnerability due to insufficient sanitization and escaping of certain plugin settings [1]. This flaw allows high-privilege users, such as contributors, to inject arbitrary web scripts into the plugin's configuration [1]. The vulnerability is rooted in the plugin's failure to properly handle user-supplied input when saving settings, which are later displayed without adequate output encoding [1].

Exploitation

An attacker with contributor-level access or higher can exploit this vulnerability by crafting malicious input in the affected settings fields [1]. When the settings are saved and subsequently rendered in the WordPress admin interface, the injected script executes in the context of the victim's browser [1]. No additional authentication or network position is required beyond the contributor account, making it a relatively low-barrier attack vector for authenticated users [1].

Impact

Successful exploitation enables the attacker to perform actions on behalf of the victim, such as stealing session cookies, redirecting to malicious sites, or modifying content within the admin dashboard [1]. The stored nature of the XSS means the payload persists and can affect any administrator or other user who views the compromised settings page [1].

Mitigation

The vulnerability is fixed in version 2.8.13 of the WPeMatico plugin [1]. Users are strongly advised to update to this version or later to eliminate the risk. No workarounds are documented, and the plugin's vendor has not indicated that older versions will receive backported patches [1].