VulnerAlert



WORDPRESS
15-12-2025 03:20

CVE-2025-13355 Vulnerabilidad documentada

Sin puntuación
Tags
#wordpress
#site
#plugin
#cross
#cross-site
#admin
#cross-site scripting
#scripting
#privilege
Descripción
The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter outputting it back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
https://wpscan.com/vulnerability/8581af77-2d72-48e8-9b22-2c36f122473c/

Affects Plugins

Plugin icon
url-shortify
Fixed in 1.11.4

References

CVE
CVE-2025-13355

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Gregory Allegoet
Submitter
Gregory Allegoet
Submitter website
https://yiikergiiker.github.io/
Verified
Yes
WPVDB ID
8581af77-2d72-48e8-9b22-2c36f122473c

Timeline

Publicly Published
2025-11-24 (about 21 days ago)
Added
2025-11-24 (about 20 days ago)
Last Updated
2025-11-24 (about 20 days ago)

Other

Published
Title
Published
2024-11-26
Title
WP Admin UI Customize < 1.5.14 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-02-17
Title
WP-BibTeX <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-24
Title
WP Colorful Tag Cloud <= 2.0.1 - Reflected Cross-Site Scripting
Published
2021-08-23
Title
Gallery Blocks with Lightbox < 2.2.1 - Authenticated Stored Cross-Site Scripting
Published
2021-06-28
Title
Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS)
Link externo

Fuente
https://nvd.nist.gov/vuln/detail/CVE-2025-13355
Icons made by Freepik from www.flaticon.com
Este Proyecto fue cofinanciado por el Consejo Nacional de Ciencia y Tecnología (CONACYT) a través del PROINNOVA 2021/2023
Proyecto realizado por