CVE-2025-15000
Stored XSS in WordPress Page Keys Plugin Allows Admin Script Injection
Publication date: 2026-01-07
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | page_keys | to 1.3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to inject malicious scripts into WordPress pages. These scripts execute in the context of users visiting the affected pages, potentially leading to theft of user credentials, session hijacking, or other malicious actions. Because the vulnerability is stored, the malicious script persists and affects all users who view the infected page. This can compromise the security and integrity of the website and its users. [1]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Page Keys WordPress plugin (up to version 1.3.3). It occurs due to insufficient input sanitization and output escaping of the 'page_key' parameter. Authenticated users with administrator-level access can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page. The vulnerability specifically affects multi-site WordPress installations or those where the 'unfiltered_html' capability is disabled. The root cause involves insecure handling of page key entries in the admin interface, including weak row ID generation and lack of robust permission checks, which can allow unauthorized editing or deletion of page keys. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of the Page Keys plugin version 1.3.3 or earlier on WordPress multi-site installations where unfiltered_html is disabled. Since the vulnerability is related to stored Cross-Site Scripting via the 'page_key' parameter, you can look for suspicious or unexpected script tags or payloads in the page keys stored in the database. There are no specific commands provided in the resources, but you can use WP-CLI commands to list installed plugins and their versions, for example: `wp plugin list --format=json` to identify if the vulnerable plugin is installed. Additionally, inspecting the database entries for the 'page_key' parameter in the relevant tables may help detect injected scripts. Monitoring HTTP requests for unusual payloads targeting the 'page_key' parameter in admin pages could also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Page Keys plugin to a version later than 1.3.3 where the vulnerability is fixed. If an update is not available, restrict administrator-level access to trusted users only, especially on multi-site installations and where unfiltered_html is disabled. Review and sanitize existing 'page_key' entries in the database to remove any injected scripts. Implement additional input validation and output escaping for the 'page_key' parameter if possible. Also, consider enabling nonce verification and capability checks for actions like deleting or editing page keys to prevent unauthorized manipulation. [1]