CVE-2025-13847
Stored XSS in PhotoFade WordPress Plugin Allows Script Injection
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| photofade | photofade | to 0.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The PhotoFade WordPress plugin has a Stored Cross-Site Scripting (XSS) vulnerability in the 'time' parameter in all versions up to 0.2.1. This occurs because the plugin does not properly sanitize or escape input, allowing authenticated users with Contributor-level access or higher to inject malicious scripts. These scripts are stored and executed whenever any user views the affected page. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to inject arbitrary scripts that execute in the browsers of users who visit the infected pages. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed in the context of the affected website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the 'time' parameter in the PhotoFade plugin is being exploited to inject scripts. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via the 'time' parameter, you can monitor HTTP requests and logs for suspicious or unexpected script content in this parameter. Commands to detect such activity could include using web server log analysis tools or grep commands to search for suspicious payloads. For example, on a Linux server, you might run: grep -i 'time=.*<script' /var/log/apache2/access.log or grep -i 'time=.*<script' /var/log/nginx/access.log. Additionally, scanning the WordPress database for stored scripts in posts or pages that use the PhotoFade shortcode could help detect injected scripts. However, no specific detection commands or tools are detailed in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting Contributor-level and higher users from using the PhotoFade plugin until a patched version is available, as the vulnerability requires authenticated Contributor-level access. Disabling or uninstalling the PhotoFade plugin (version 0.2.1 and earlier) will prevent exploitation. Additionally, reviewing and sanitizing any content where the 'time' parameter is used or stored can help remove injected scripts. Applying any available updates or patches from the plugin author once released is recommended. Since the plugin lacks input sanitization and output escaping for the 'time' parameter, avoid using this parameter or the plugin until fixed.