CVE-2025-13627
Stored XSS in Makesweat WordPress Plugin Allows Admin Script Injection
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| makesweat | makesweat | to 0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Makesweat WordPress plugin is a Stored Cross-Site Scripting (XSS) issue affecting the 'makesweat_clubid' setting in all versions up to and including 0.1. Due to insufficient input sanitization and output escaping, an authenticated attacker with administrator-level access can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user interactions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator privileges to inject malicious scripts that execute in the context of users visiting the affected pages. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of users without their consent.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you should check if the Makesweat WordPress plugin version 0.1 or earlier is installed and active on your WordPress site. Specifically, verify if the 'makesweat_clubid' setting is present and can be manipulated. Since the vulnerability involves stored cross-site scripting via this setting, you can inspect the plugin settings page in the WordPress admin area for suspicious script injections. Additionally, you can search your WordPress database options table for the 'makesweat_clubid' option to see if it contains unexpected script content. Example commands for a Linux server with command line access to the WordPress database might include: 1. Check plugin version via filesystem: grep -i 'Version' wp-content/plugins/makesweat/makesweat.php 2. Query the WordPress database for the clubid option (replace DB_NAME, DB_USER, DB_PASS accordingly): mysql -u DB_USER -pDB_PASS DB_NAME -e "SELECT option_value FROM wp_options WHERE option_name = 'makesweat_clubid';" 3. Inspect web pages that use the Makesweat plugin for injected scripts by reviewing page source or using web vulnerability scanners that detect stored XSS. Note: Since the vulnerability requires administrator-level access to inject scripts, monitoring admin activity logs for suspicious changes to plugin settings is also recommended. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Disable or deactivate the Makesweat plugin on your WordPress site until a patched version is available, as the plugin was closed temporarily pending a full review. 2. Remove or sanitize the 'makesweat_clubid' setting in your WordPress options to ensure no malicious scripts are stored. 3. Restrict administrator-level access to trusted users only, since exploitation requires admin privileges. 4. Monitor and audit admin activity for any unauthorized changes. 5. Keep your WordPress installation and all plugins updated, and watch for announcements regarding a fixed version of the Makesweat plugin. 6. Consider implementing web application firewall (WAF) rules to block potential XSS payloads targeting this plugin. These steps help prevent exploitation of the stored cross-site scripting vulnerability until an official patch is released. [2, 3]