Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the TR Timthumb WordPress plugin. Designated as CVE-2025-13899, this flaw affects all versions up to and including 1.0.4. The vulnerability stems from inadequate sanitization of user-supplied input within shortcode attributes. This allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into pages and posts. When other users visit these compromised pages, the injected script will execute, potentially leading to data theft, account compromise, or other malicious activities.
Technical Details
The vulnerability exists because the TR Timthumb plugin fails to properly sanitize and escape user-provided input passed through shortcode attributes. An attacker can craft a malicious shortcode containing JavaScript code and embed it within a page or post. Since contributor-level users have the capability to create and edit posts, they can leverage this vulnerability to insert malicious scripts. This vulnerability is specifically located within the plugin’s front-end processing of shortcodes. The affected code resides in the inc/front.php file, around line 39.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns this vulnerability a score of 6.4, indicating a MEDIUM severity. This score reflects the following characteristics:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality Impact (C): Low (L)
- Integrity Impact (I): Low (L)
- Availability Impact (A): None (N)
The vulnerability requires user interaction to be triggered, but the potential impact on confidentiality and integrity warrants immediate attention.
Possible Impact
Successful exploitation of this vulnerability could have severe consequences:
- Account Compromise: An attacker could potentially steal user credentials or session cookies by injecting malicious JavaScript.
- Data Theft: Sensitive information displayed on the affected pages could be harvested by the attacker.
- Malware Distribution: The injected script could redirect users to malicious websites or initiate the download of malware.
- Website Defacement: The attacker could modify the content of the compromised pages, leading to website defacement.
Mitigation & Patch Steps
To mitigate this vulnerability, follow these steps:
- Remove the plugin: If you are not using the TR Timthumb plugin, the safest course of action is to remove it.
- Update if a patched version exists: Check for a patched version of the TR Timthumb plugin. If an update is available, install it immediately. As of this writing (Dec 6, 2025), no patched version is known to exist. Therefore, removing the plugin is highly recommended.
- Implement Web Application Firewall (WAF) rules: Configure your WAF to block requests containing potentially malicious JavaScript code in shortcode attributes.
- User Training: Educate your WordPress users, especially those with Contributor-level access, about the risks of XSS and the importance of sanitizing user input.