Atomic Edge analysis of CVE-2025-13959 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Filestack WordPress plugin (slug: filepicker-media-uploader) affecting versions up to and including 2.0.8. The vulnerability resides in the plugin’s ‘filepicker’ shortcode handler, allowing attackers with contributor-level or higher privileges to inject malicious scripts into pages and posts. These scripts execute when a user views the compromised content. The CVSS 3.1 score of 6.4 (Medium severity) reflects its network-based attack vector, low attack complexity, and requirement for low-level authenticated access, with scope change and impacts on confidentiality and integrity.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping on user-supplied shortcode attributes. The CWE-79 classification confirms improper neutralization of input during web page generation. The vulnerability description explicitly states the issue occurs via the ‘filepicker’ shortcode. Without access to source code, Atomic Edge infers that the plugin’s shortcode callback function likely directly echoes or unsafely outputs attribute values without applying WordPress escaping functions like esc_attr() or esc_html(). This inference is based on the standard WordPress shortcode API pattern where attributes are passed as an associative array.

Exploitation requires an authenticated user with at least contributor-level permissions. The attacker creates or edits a post or page, inserting the vulnerable ‘[filepicker]’ shortcode with malicious JavaScript payloads within its attributes. For example, an attacker might craft a shortcode like [filepicker example=”” onmouseover=”alert(document.cookie)”]. When the page renders, the plugin outputs the attribute value without proper escaping, causing script execution. The attack vector is entirely within the WordPress editor, targeting the post content submission endpoint (/wp-admin/post.php) or the REST API (/wp-json/wp/v2/posts).

Remediation requires implementing proper output escaping on all user-controlled shortcode attributes before they are printed to the browser. The plugin should use WordPress core escaping functions such as esc_attr() for HTML attributes and esc_html() for text nodes. Additionally, input validation should restrict attribute values to expected patterns where possible. A comprehensive fix would involve auditing the shortcode handler function and all related output functions to ensure context-appropriate escaping.

Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of any user viewing the compromised page. This can lead to session hijacking by stealing cookies, defacement by manipulating page content, or redirection to malicious sites. Contributor-level attackers could target administrators to perform actions on their behalf, potentially leading to privilege escalation or site takeover. The stored nature means the payload persists and executes for all subsequent visitors until removed.