Ultra Skype Button Plugin Vulnerable to Stored XSS: CVE-2025-13898

Overview

CVE-2025-13898 describes a stored cross-site scripting (XSS) vulnerability present in the Ultra Skype Button plugin for WordPress. This vulnerability affects all versions up to and including 1.0. An authenticated attacker with Contributor-level access or higher can inject malicious JavaScript code into WordPress pages. This injected code will then execute whenever a user visits the compromised page, potentially leading to account compromise, data theft, or other malicious activities.

Technical Details

The vulnerability resides in the handling of the btn_id parameter within the [ultra_skype] shortcode. The plugin fails to properly sanitize user-supplied input for this parameter before storing it in the database. Furthermore, the plugin does not adequately escape the output when rendering the shortcode on a page. This allows an attacker to inject arbitrary HTML and JavaScript code.

The vulnerable code can be found in the plugin’s main file (index.php) at or around the following lines:

• Version 1.0, Line 39
• Version 1.0, Line 44
• Trunk, Line 39
• Trunk, Line 44

An example of how the shortcode might be exploited:

[ultra_skype btn_id="<script>alert('XSS Vulnerability!');</script>"]

When this shortcode is added to a page or post, the JavaScript code within the btn_id attribute will execute when the page is viewed.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13898 is 6.4 (Medium).

• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): Required (R)
• Scope (S): Changed (C)
• Confidentiality Impact (C): Low (L)
• Integrity Impact (I): Low (L)
• Availability Impact (A): Low (L)

This score reflects the relatively low barrier to entry for exploiting the vulnerability (Contributor access required) and the potential for limited impact on confidentiality, integrity, and availability.

Possible Impact

A successful XSS attack via CVE-2025-13898 could have several negative consequences:

• Account Takeover: Attackers could potentially steal user session cookies and hijack administrator accounts.
• Malware Distribution: Injected scripts could redirect users to malicious websites or initiate the download of malware.
• Defacement: Attackers could modify the appearance of the affected website, displaying misleading or harmful content.
• Data Theft: Sensitive information, such as user credentials or personal data, could be stolen and exfiltrated.

Mitigation or Patch Steps

The most effective mitigation strategy is to remove the Ultra Skype Button plugin from your WordPress installation. Since the plugin is vulnerable and hasn’t been updated, it’s best to avoid using it altogether.

If removing the plugin is not an option, consider the following (though these are not ideal solutions):

• Implement a Web Application Firewall (WAF): A WAF can help to detect and block malicious requests, including those containing XSS payloads. Ensure your WAF rules are up-to-date.
• Restrict User Privileges: Limit the number of users with Contributor-level or higher access to your WordPress site.

Important: There is no official patch available as of this writing. Removing the plugin is highly recommended.

References

• Wordfence Threat Intelligence Report
• Ultra Skype Button v1.0 Source Code (Line 39)
• Ultra Skype Button v1.0 Source Code (Line 44)
• Ultra Skype Button Trunk Source Code (Line 39)
• Ultra Skype Button Trunk Source Code (Line 44)