CVE-2025-13624
Reflected XSS in Overstock Affiliate Links WordPress Plugin
Publication date: 2025-12-20
Last updated on: 2025-12-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| overstock | affiliate_links | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13624 is a vulnerability in the Overstock Affiliate Links WordPress plugin, specifically in the sandbox_page.php file. The plugin allows users to submit WordPress shortcodes via a POST request, which are then executed by the plugin without proper sanitization or validation. This means an attacker can inject malicious shortcodes or scripts that get executed on the server side. The vulnerability arises because the plugin directly passes user input to the do_shortcode() function without checking or cleaning it, enabling arbitrary code execution or other malicious actions within the WordPress environment. [2, 4]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to inject and execute arbitrary code or scripts on your WordPress site through the Overstock Affiliate Links plugin. This can lead to privilege escalation, unauthorized actions, or compromise of the website's integrity and security. Essentially, attackers can exploit this flaw to run malicious code, potentially gaining control over parts of your WordPress environment or affecting your site's users. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Overstock Affiliate Links plugin version 1.1 or earlier is installed and if the sandbox_page.php file is accessible. Specifically, you can test for the vulnerability by sending a POST request to the sandbox page with a shortcode payload in the 'shortcode' parameter and observing if the shortcode is executed without sanitization. For example, you can use curl to send a test POST request: curl -X POST -d "shortcode=[your_test_shortcode]" https://yourwordpresssite.com/wp-content/plugins/overstock-affiliate-links/sandbox_page.php If the shortcode executes and returns output, the vulnerability is present. Additionally, scanning for reflected XSS via the PHP_SELF parameter in URLs related to the plugin can help detect the reflected cross-site scripting issue. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the Overstock Affiliate Links plugin version 1.1 or earlier from your WordPress installation, especially the sandbox_page.php file or the sandbox testing interface. Since the plugin has been closed pending review as of December 16, 2025, avoid using it until a patched version is released. Additionally, restrict access to the sandbox_page.php file to trusted users only or block access via web server configuration. Applying web application firewall (WAF) rules to block malicious shortcode inputs or suspicious POST requests targeting the sandbox page can also help mitigate exploitation. [3, 4]