CVE-2025-13967
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woodpecker | woodpecker_for_wordpress | to 3.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Woodpecker for WordPress plugin (up to version 3.0.4) is a Stored Cross-Site Scripting (XSS) issue via the 'form_name' parameter of the [woodpecker-connector] shortcode. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising site security by running malicious code in users' browsers. [3, 5]
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to inject malicious scripts into WordPress pages, which will execute in the browsers of users who visit those pages. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement, or spreading malware. Since the scripts are stored and executed on page load, it poses a persistent threat to site visitors and administrators. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the Woodpecker for WordPress plugin version 3.0.4 or earlier is installed and active on your WordPress site. Since the vulnerability involves the 'form_name' parameter of the [woodpecker-connector] shortcode allowing Stored Cross-Site Scripting (XSS), you can test for it by submitting crafted input containing script tags or JavaScript payloads in the 'form_name' parameter via the form generated by the shortcode. Monitoring HTTP requests to the form submission endpoint (typically via WordPress AJAX at admin-ajax.php) for suspicious payloads or unexpected script content in stored pages can help detect exploitation attempts. For command-line detection, you can use curl or wget to send test POST requests with XSS payloads to the form submission URL and observe responses or stored content. Example command to test injection: curl -X POST -d "form_name=<script>alert(1)</script>&accept_policy=1&other_required_fields=values" https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=woodpecker_submit (replace parameters as needed). Additionally, scanning your WordPress plugins for version and known vulnerabilities using WP-CLI commands like `wp plugin list` can help identify vulnerable plugin versions. [2, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Woodpecker for WordPress plugin to a version later than 3.0.4 where the vulnerability is fixed. 2. If an update is not immediately available, restrict Contributor-level and above users from accessing or using the [woodpecker-connector] shortcode or forms until patched. 3. Implement additional input sanitization and output escaping for the 'form_name' parameter and other user inputs in the plugin code to prevent script injection. 4. Use Web Application Firewall (WAF) rules to block or sanitize malicious payloads targeting the vulnerable parameter. 5. Monitor logs and audit user submissions for suspicious scripts or payloads. 6. Consider disabling the plugin temporarily if the risk is high and no patch is available. These steps help prevent exploitation by limiting the ability of authenticated users to inject malicious scripts and reduce the attack surface. [2, 3]