CVE-2025-13617
Stored XSS in Apollo13 Framework Extensions Plugin Allows Script Injection
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apollo13 | framework_extensions | to 1.9.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Apollo13 Framework Extensions plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the βa13_alt_linkβ parameter. This vulnerability exists in all versions up to and including 1.9.8 because the plugin does not properly sanitize or escape input and output for this parameter.
An authenticated attacker with Contributor-level access or higher can inject malicious web scripts into pages via this parameter. These scripts will execute whenever any user accesses the infected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject arbitrary scripts into pages viewed by other users. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement, or spreading malware.
Because the malicious scripts execute in the context of the affected website, it can compromise the security and trustworthiness of the site, potentially harming both site administrators and visitors.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves stored Cross-Site Scripting (XSS) via the 'a13_alt_link' parameter in the Apollo13 Framework Extensions WordPress plugin. Detection involves identifying if your WordPress installation uses this plugin version 1.9.8 or earlier and if any post metadata contains malicious scripts injected through the '_alt_link' field.
You can detect suspicious entries by querying the WordPress database for the '_alt_link' post meta values that contain script tags or suspicious JavaScript code.
- Use a SQL query to find suspicious '_alt_link' meta values, for example: SELECT post_id, meta_value FROM wp_postmeta WHERE meta_key = '_alt_link' AND meta_value LIKE '%<script>%';
- Check your web server logs for unusual URL parameters or requests containing suspicious payloads targeting 'a13_alt_link'.
- Use WordPress CLI commands to list post meta and inspect '_alt_link' values, e.g., wp post meta list <post_id> --keys=_alt_link
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation is to update the Apollo13 Framework Extensions plugin to version 1.9.9 or later, where the vulnerability has been fixed by properly sanitizing and escaping the '_alt_link' post meta value."}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated access with Contributor-level or above.'}, {'type': 'paragraph', 'content': "Review and clean any suspicious '_alt_link' post meta entries in your database to remove injected scripts."}, {'type': 'paragraph', 'content': 'Consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting this parameter.'}] [3, 2]