Overview
A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in the Application Passwords plugin for WordPress. This vulnerability, identified as CVE-2025-13308, affects all versions up to and including 0.1.3. Unauthenticated attackers can exploit this vulnerability by injecting arbitrary web scripts into the ‘reject_url’ parameter, which will execute when a user interacts with a specific element of the plugin. It is crucial to update to a patched version as soon as possible to mitigate this risk.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping of the ‘reject_url’ parameter within the Application Passwords plugin. Specifically, the plugin fails to adequately validate user-supplied URLs, allowing attackers to embed malicious javascript: URI schemes. When a user clicks the “No, I do not approve of this connection” button after being tricked into visiting a specially crafted link, the injected JavaScript code will execute within their browser. The vulnerable code locations include:
An attacker can construct a URL containing a malicious payload within the ‘reject_url’ parameter. If a user clicks on this crafted URL and then interacts with the “No, I do not approve of this connection” button, the XSS payload will be triggered.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13308 a score of 5.4, classifying it as a MEDIUM severity vulnerability. This score reflects the fact that the vulnerability requires user interaction to be exploited and can potentially lead to information disclosure or other malicious actions within the context of the user’s session.
Possible Impact
A successful XSS attack via CVE-2025-13308 could have several significant impacts:
- Session Hijacking: An attacker could potentially steal a user’s session cookies, allowing them to impersonate the user and gain unauthorized access to their WordPress account.
- Malware Distribution: The injected JavaScript could redirect users to malicious websites or trigger the download of malware.
- Defacement: The attacker could modify the content of the affected page, leading to website defacement.
- Phishing: The attacker could inject a fake login form to steal user credentials.
Mitigation or Patch Steps
The most effective mitigation is to immediately update the Application Passwords plugin to the latest version. The patched version will include proper input sanitization and output escaping to prevent the injection of malicious scripts. If an update is not yet available, temporarily disabling the plugin until an update is released can help reduce the risk of exploitation. Also ensure your WordPress core and other plugins are up-to-date to minimize attack surface.