Urgent Security Alert: Stored XSS Vulnerability in Extra Post Images WordPress Plugin (CVE-2025-13856)

Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the Extra Post Images plugin for WordPress. This vulnerability, identified as CVE-2025-13856, affects all versions up to and including 1.0. Exploitation of this vulnerability can allow attackers with Contributor-level access or higher to inject malicious JavaScript code into pages. This code will then execute whenever a user visits the compromised page, potentially leading to account compromise, data theft, or other malicious activities.

Technical Details

The vulnerability resides in the handling of the id parameter within the extra-images shortcode. Due to insufficient input sanitization and output escaping, an attacker can inject arbitrary web scripts through this parameter. The vulnerable code can be found in the following files (based on the references):

• epi.php (tag 1.0): Lines 92 and 101
• epi.php (trunk): Line 92

An attacker can insert malicious JavaScript code within the id parameter of the shortcode. When a user visits a page containing the injected shortcode, the JavaScript code is executed in their browser, under the context of the targeted website.

Example of a vulnerable shortcode:

[extra-images id="<script>alert('XSS Vulnerability!')</script>"]

CVSS Analysis

• CVE ID: CVE-2025-13856
• Severity: MEDIUM
• CVSS Score: 6.4

A CVSS score of 6.4 indicates a medium severity vulnerability. While the attack requires authentication (Contributor-level access), the potential impact on website users is significant. The CVSS vector likely includes components for user interaction and confidentiality impact.

Possible Impact

Successful exploitation of this XSS vulnerability could have the following consequences:

• Account Takeover: An attacker could potentially steal a user’s session cookies, allowing them to log in as that user.
• Data Theft: Sensitive information displayed on the page could be extracted and sent to a remote server controlled by the attacker.
• Malicious Redirects: Users could be redirected to phishing sites or other malicious websites.
• Website Defacement: The attacker could modify the content of the page to display misleading or harmful information.

Mitigation and Patch Steps

To mitigate this vulnerability, follow these steps:

1. Update the Plugin (if an update exists): Check for an updated version of the Extra Post Images plugin. If an update is available, install it immediately. Unfortunately, as of this writing there is no update available, so disabling is required.
2. Disable the Plugin: If no update is available, disable the Extra Post Images plugin immediately. This will prevent the shortcode from being processed and mitigate the risk of exploitation.
3. Review User Roles and Permissions: Limit Contributor-level access to trusted users only. Regularly review user roles and permissions to ensure that users only have the necessary access.
4. Monitor Website Activity: Monitor your website for any suspicious activity, such as unexpected changes to content or unusual user behavior.

References

• Wordfence Threat Intelligence: CVE-2025-13856
• Extra Post Images Plugin (v1.0) – epi.php (Line 101)
• Extra Post Images Plugin (v1.0) – epi.php (Line 92)
• Extra Post Images Plugin (Trunk) – epi.php (Line 92)