CVE-2025-13355
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-13355, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-15

Last updated on: 2025-12-15

Assigner: WPScan

Description

The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-15
Last Modified
2025-12-15
Generated
2026-07-06
AI Q&A
2025-12-15
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress plugin_url_shortify *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-13355 is a Reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin URL Shortify versions before 1.11.4. The plugin does not properly sanitize and escape a parameter before outputting it back on the page. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript code in the browser of a logged-in user with high privileges, such as an administrator, potentially compromising their session or data. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the context of a high privilege user’s browser, such as an admin. This can lead to session hijacking, unauthorized actions performed on behalf of the admin, data theft, or other malicious activities that compromise the security and integrity of your WordPress site. [1]

Detection Guidance

This vulnerability can be detected by testing the URL Shortify plugin for reflected Cross-Site Scripting (XSS) issues, specifically by injecting a script payload into the `form_data[cpt_id]` parameter in the admin interface URL and observing if the script executes. For example, you can manually craft a URL with a payload such as `<script>alert(1)</script>` in the `form_data[cpt_id]` parameter and visit it while logged in as an admin to see if an alert box appears. Automated tools like OWASP ZAP or Burp Suite can also be used to scan for reflected XSS vulnerabilities in the plugin's parameters. [1]

Mitigation Strategies

The immediate mitigation step is to update the URL Shortify WordPress plugin to version 1.11.4 or later, where the vulnerability has been fixed. Until the update can be applied, restrict access to the WordPress admin interface to trusted users only and avoid clicking on suspicious URLs that include the vulnerable parameter. Additionally, consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting the `form_data[cpt_id]` parameter. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13355. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart