CVE-2025-13497
Stored XSS in Recras WordPress Plugin Allows Script Injection
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| recras | recras | to 6.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Recras WordPress plugin up to version 6.4.1. It occurs because the plugin does not properly sanitize or escape input in the 'recrasname' shortcode attribute. As a result, authenticated users with Contributor-level access or higher can inject malicious scripts into pages, which then execute when other users view those pages.
How can this vulnerability impact me? :
The vulnerability allows attackers with Contributor-level access or above to inject arbitrary scripts into pages. This can lead to unauthorized actions such as stealing user session data, defacing the website, or performing actions on behalf of other users without their consent, potentially compromising the security and integrity of the website and its users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress site is running the Recras plugin version 6.4.1 or earlier, as these versions are vulnerable. Since the vulnerability involves stored Cross-Site Scripting via the 'recrasname' shortcode attribute, you can scan your WordPress content and posts for usage of the '[recrasname]' shortcode with suspicious or script-injected attribute values. Additionally, monitoring HTTP requests and responses for injected scripts in pages generated by the plugin may help detect exploitation attempts. Specific commands are not provided in the resources, but you can use WordPress CLI commands to list plugin versions, for example: `wp plugin list --format=json` to check the Recras plugin version. For scanning content, you might use grep or similar tools to search for the shortcode usage in your WordPress database or files. For example, using WP-CLI to search posts: `wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[recrasname%';"` to find posts containing the shortcode. Network detection would involve inspecting HTTP responses for injected scripts, but no specific commands are provided. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Recras WordPress plugin to version 6.4.2 or later, as this update includes fixes that address the stored Cross-Site Scripting vulnerability by improving input sanitization and output escaping. Applying this update will prevent authenticated users with Contributor-level access and above from injecting arbitrary scripts via the 'recrasname' shortcode attribute. Additionally, review and sanitize any existing content that may have been injected with malicious scripts. If updating immediately is not possible, consider restricting Contributor-level access temporarily to trusted users only to reduce the risk of exploitation. [1]