CVE-2025-13730
Stored XSS in WordPress OpenID Connect Plugin Allows Script Injection
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | openid_connect_generic_client | 3.10.1 |
| wordpress | openid_connect_generic_client | 3.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the OpenID Connect Generic Client plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue. It occurs via the plugin's 'openid_connect_generic_auth_url' shortcode in all versions up to and including 3.10.0. The root cause is insufficient input sanitization and output escaping, which allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user sessions or site integrity. [2]
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to inject malicious scripts into WordPress pages via the affected shortcode. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, unauthorized actions, data theft, or defacement of the website. This compromises the security and trustworthiness of the affected WordPress site. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'openid_connect_generic_auth_url' shortcode in the OpenID Connect Generic Client WordPress plugin. Detection involves identifying pages or posts containing this shortcode with injected malicious scripts. Since the vulnerability requires Contributor-level access or higher to inject scripts, monitoring for unusual or unauthorized shortcode content in WordPress posts/pages is key. Additionally, inspecting HTTP responses for unexpected script tags in pages using this shortcode can help detect exploitation. Specific commands are not provided in the resources, but general approaches include: 1. Searching the WordPress database for posts/pages containing the shortcode with suspicious script tags, e.g., using SQL queries on the wp_posts table. 2. Using web vulnerability scanners or tools that detect stored XSS in WordPress content. 3. Monitoring HTTP traffic for pages containing the shortcode and checking for injected scripts. Since no explicit commands are given in the resources, these general detection methods apply.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the OpenID Connect Generic Client plugin to a version later than 3.10.0 where the vulnerability is fixed (e.g., 3.10.1 or later). The update addresses security improvements including token refresh handling and other fixes related to CVE-2025-13730. 2. Restrict Contributor-level and higher user permissions to trusted users only, as exploitation requires authenticated users with such access. 3. Review and sanitize any content created via the 'openid_connect_generic_auth_url' shortcode to remove any injected scripts. 4. Monitor and audit user activity for suspicious shortcode usage or content injection. 5. Consider disabling or removing the vulnerable shortcode if immediate update is not possible. These steps help prevent exploitation and reduce risk until the plugin is updated. [3]