CVE-2025-13963
Stored XSS in FX Currency Converter WordPress Plugin Allows Script Injection
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | fx_currency_converter | 0.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of the vulnerable FX Currency Converter plugin version 0.2.0 or earlier on your WordPress site and checking for usage of the '[fxcc_convert]' shortcode with potentially malicious attributes. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via shortcode attributes, you can detect it by searching for posts or pages containing the shortcode with suspicious script tags or unusual attribute values. Commands to help detect this include using WP-CLI or database queries to find shortcode usage. For example, you can run a SQL query on your WordPress database to find posts containing the shortcode: `SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[fxcc_convert%';` Then manually inspect the shortcode attributes for suspicious content. Additionally, monitoring web server logs or using a web application firewall (WAF) to detect attempts to inject scripts via shortcode parameters can help. There are no specific commands provided in the resources, but these general approaches apply.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the FX Currency Converter plugin to version 0.2.1 or later, which contains the security fix for CVE-2025-13963. The update ensures comprehensive sanitization and escaping of all user-supplied shortcode attributes, preventing Stored Cross-Site Scripting attacks. If updating immediately is not possible, restrict contributor-level and higher users from adding or editing content with the '[fxcc_convert]' shortcode until the patch is applied. Additionally, review and sanitize any existing content using the shortcode to remove malicious scripts. Enabling WordPress security plugins or a web application firewall that can detect and block XSS attempts is also recommended. [1, 2]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the FX Currency Converter plugin for WordPress. It occurs via the plugin's 'fxcc_convert' shortcode in versions up to 0.2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject malicious scripts into pages, which execute whenever a user views the infected page.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access or higher to inject arbitrary web scripts into pages. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement, or spreading malware to users who visit the infected pages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.