Overview
CVE-2025-13054 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress. This vulnerability affects all versions up to and including 3.14.8. An authenticated attacker with contributor-level access or higher can exploit this flaw to inject malicious JavaScript code into pages that utilize the vulnerable plugin’s shortcode. When other users access these compromised pages, the injected script will execute, potentially leading to account compromise, data theft, or other malicious activities.
Technical Details
The vulnerability stems from the insufficient input sanitization and output escaping of user-supplied attributes within the wppb-embed shortcode. Specifically, attackers can inject malicious JavaScript code into shortcode attributes. Because the plugin fails to properly sanitize and escape this input, the injected script is stored in the database and rendered without modification when the page containing the shortcode is viewed. This allows the attacker to execute arbitrary JavaScript in the context of the user’s browser.
CVSS Analysis
- CVE ID: CVE-2025-13054
- Severity: MEDIUM
- CVSS Score: 6.4
- CVSS Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
This CVSS score indicates a medium severity vulnerability. While the attack requires authentication (low privilege) and user interaction (a user needs to visit the injected page), the impact includes cross-site scripting, allowing for some confidentiality and integrity compromise.
Possible Impact
Successful exploitation of this vulnerability can have serious consequences:
- Account Takeover: An attacker could potentially steal user session cookies and hijack user accounts, including administrator accounts.
- Malicious Redirects: Injected JavaScript could redirect users to phishing websites or other malicious destinations.
- Data Theft: Sensitive data displayed on the affected page could be stolen or manipulated.
- Defacement: The attacker could modify the content of the page, defacing the website.
- Administrative Access: An attacker compromising an administrator account could gain complete control over the WordPress website.
Mitigation/Patch Steps
The most effective way to mitigate this vulnerability is to update the User Profile Builder plugin to the latest version. If an update is not yet available, consider the following temporary measures:
- Update the Plugin: Ensure you have the latest version of User Profile Builder installed. Check for updates in your WordPress dashboard under “Plugins.”
- Disable the Plugin (Temporary): If an immediate update isn’t possible, temporarily disable the User Profile Builder plugin until a patched version is available.
- Review User Roles: Limit the number of users with contributor or higher roles.
- Web Application Firewall (WAF): Implement a web application firewall (WAF) and configure it to block XSS attacks. Ensure the WAF rules are up-to-date.
