CVE-2025-13355
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-15
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | plugin_url_shortify | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13355 is a Reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin URL Shortify versions before 1.11.4. The plugin does not properly sanitize and escape a parameter before outputting it back on the page. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript code in the browser of a logged-in user with high privileges, such as an administrator, potentially compromising their session or data. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the context of a high privilege userβs browser, such as an admin. This can lead to session hijacking, unauthorized actions performed on behalf of the admin, data theft, or other malicious activities that compromise the security and integrity of your WordPress site. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the URL Shortify plugin for reflected Cross-Site Scripting (XSS) issues, specifically by injecting a script payload into the `form_data[cpt_id]` parameter in the admin interface URL and observing if the script executes. For example, you can manually craft a URL with a payload such as `<script>alert(1)</script>` in the `form_data[cpt_id]` parameter and visit it while logged in as an admin to see if an alert box appears. Automated tools like OWASP ZAP or Burp Suite can also be used to scan for reflected XSS vulnerabilities in the plugin's parameters. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the URL Shortify WordPress plugin to version 1.11.4 or later, where the vulnerability has been fixed. Until the update can be applied, restrict access to the WordPress admin interface to trusted users only and avoid clicking on suspicious URLs that include the vulnerable parameter. Additionally, consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting the `form_data[cpt_id]` parameter. [1]