Overview
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in the Social Feed Gallery Portfolio plugin for WordPress. This vulnerability, identified as CVE-2025-13896, affects all versions up to and including 1.3. It allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into WordPress pages. These scripts execute whenever a user visits the compromised page, potentially leading to account compromise, data theft, or website defacement. It is crucial to update the plugin or implement the suggested mitigation steps immediately.
Technical Details
The vulnerability lies within the [igp-wp] shortcode used by the Social Feed Gallery Portfolio plugin. Specifically, the ‘id’ parameter of this shortcode is not properly sanitized or escaped before being rendered in the output. This allows an attacker to inject malicious JavaScript code into the database through a crafted shortcode within a post or page. When that page is rendered, the injected JavaScript executes in the context of the user’s browser.
Here’s a simplified example of a vulnerable shortcode:
[igp-wp id="<script>alert('XSS Vulnerability!')</script>"]
This malicious code, when included in a page and viewed by a user, will trigger an alert box. In a real-world attack, more harmful code could be injected.
The vulnerable code is located within the `includes/public/class-portfolio-shortcode.php` file, specifically around lines 58 and 208 in version 1.3.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13896 is 6.4 (Medium). The CVSS vector string is likely AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This score reflects the following characteristics:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited over a network.
- Attack Complexity (AC): Low (L) – The attack requires little to no specialized access conditions.
- Privileges Required (PR): Low (L) – An attacker needs only low-level privileges (e.g., Contributor) to exploit the vulnerability.
- User Interaction (UI): Required (R) – Exploitation requires a user to interact with the injected content.
- Scope (S): Changed (C) – An exploited vulnerability can affect resources beyond the attacker’s control.
- Confidentiality Impact (C): Low (L) – There is limited disclosure of information.
- Integrity Impact (I): Low (L) – There is limited modification of data.
- Availability Impact (A): None (N) – There is no impact to system availability.
Possible Impact
Successful exploitation of this XSS vulnerability can have several negative consequences:
- Account Compromise: An attacker could potentially steal a logged-in user’s session cookies and gain access to their account.
- Website Defacement: Malicious scripts could be injected to alter the appearance or content of the website.
- Data Theft: Sensitive information, such as user data or administrative credentials, could be stolen.
- Malware Distribution: The injected script could redirect users to malicious websites or attempt to install malware on their devices.
Mitigation and Patch Steps
- Update the Plugin: The most effective mitigation is to update the Social Feed Gallery Portfolio plugin to the latest version as soon as a patch is released. Check the WordPress plugin repository for updates.
- Web Application Firewall (WAF): Implement a WAF with XSS protection rules. A WAF can detect and block malicious requests attempting to exploit the vulnerability.
- Input Sanitization and Output Escaping: If you are a developer, ensure that all user inputs are properly sanitized and escaped before being displayed on the website. Use WordPress functions like
esc_attr(),esc_html(), andwp_kses()for output escaping. - Restrict User Roles: Limit the number of users with Contributor-level access or higher to only those who absolutely require it.