CVE-2025-13993
Stored XSS in MailerLite Signup Forms Plugin Allows Admin Script Injection
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mailerlite | signup_forms | 1.7.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the MailerLite β Signup forms plugin version is up to and including 1.7.16, as these versions are vulnerable. Additionally, inspecting the 'form_description' and 'success_message' parameters for stored malicious scripts in the WordPress database (specifically in the 'mailerlite_forms' table) can help identify exploitation. Since the vulnerability requires authenticated administrator access to inject scripts, monitoring admin actions and changes to signup forms may reveal suspicious activity. There are no specific network commands provided, but reviewing the plugin version and database entries related to MailerLite forms is recommended. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the MailerLite β Signup forms plugin to version 1.7.17 or later, where input sanitization has been enhanced using the 'wp_kses_post()' function to properly sanitize form fields such as 'form_description' and 'success_message', preventing stored XSS. Additionally, restrict administrator access to trusted users only, and review existing forms for any injected malicious scripts. Applying the update will ensure that user inputs are sanitized and output escaping is enforced, mitigating the vulnerability. [2]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the MailerLite β Signup forms (official) plugin for WordPress, affecting versions up to and including 1.7.16. It occurs because the plugin does not properly sanitize or escape input in the 'form_description' and 'success_message' parameters. Authenticated users with administrator access or higher can inject malicious scripts that execute whenever a user views the affected page.
How can this vulnerability impact me? :
The vulnerability allows attackers with administrator-level access to inject arbitrary scripts into pages, which execute when users access those pages. This can lead to unauthorized actions such as stealing user credentials, session hijacking, or delivering malicious payloads, potentially compromising the security and integrity of the affected website and its users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with administrator access to inject arbitrary scripts via stored Cross-Site Scripting (XSS) in the MailerLite WordPress plugin. This could lead to unauthorized access or manipulation of user data, potentially compromising the confidentiality and integrity of personal information. Such a compromise may negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and ensuring secure processing. However, specific impacts on compliance are not detailed in the provided resources. [1, 3]