{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13308", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-17T14:43:02.776Z", "datePublished": "2025-12-06T05:49:27.817Z", "dateUpdated": "2026-04-08T16:54:57.094Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:57.094Z"}, "affected": [{"vendor": "georgestephanis", "product": "Application Passwords", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the \"No, I do not approve of this connection\" button, granted they can successfully trick the victim into performing an action such as clicking on a link."}], "title": "Application Passwords <= 0.1.3 - Reflected Cross-Site Scripting via reject_url", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59fdfdf3-e9fe-44d2-82f4-7a612a51d376?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/auth-app.js#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L418"}, {"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L432"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-12-05T17:41:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:12:52.679732Z", "id": "CVE-2025-13308", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:13:03.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:12:52.679732Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:12:59.385Z"}}], "cna": {"title": "Application Passwords <= 0.1.3 - Reflected Cross-Site Scripting via reject_url", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "georgestephanis", "product": "Application Passwords", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:41:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59fdfdf3-e9fe-44d2-82f4-7a612a51d376?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/auth-app.js#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L418"}, {"url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L432"}], "descriptions": [{"lang": "en", "value": "The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the \"No, I do not approve of this connection\" button, granted they can successfully trick the victim into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:57.094Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13308", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:57.094Z", "dateReserved": "2025-11-17T14:43:02.776Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:27.817Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the \"No, I do not approve of this connection\" button, granted they can successfully trick the victim into performing an action such as clicking on a link."}], "id": "CVE-2025-13308", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:51.240", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/auth-app.js#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L418"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L432"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59fdfdf3-e9fe-44d2-82f4-7a612a51d376?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T03:52:33.983882+00:00", "value": {"mitigation_remediation": ["Upgrade the Application Passwords plugin to the latest version beyond 0.1.3 where this issue is fixed.", "Remove or disable the reject_url functionality in the plugin configuration to eliminate the vulnerable input point.", "Implement input validation to reject javascript: or other dangerous URI schemes when the reject_url parameter is used."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Application Passwords plugin by georgestephanis installed in any version up to and including 0.1.3 are affected. Site administrators should verify their plugin version and update to a patched release beyond 0.1.3.", "description_and_impact": "The Application Passwords WordPress plugin allows arbitrary JavaScript code to be injected through the reject_url parameter. Improper sanitization and escaping enable attackers to embed javascript: URI schemes, which can execute when a user clicks the \u2018No, I do not approve of this connection\u2019 button. This flaw permits attacker\u2011controlled script execution in the victim\u2019s browser without authentication.", "risk_and_exploitability": "The CVSS score of 5.4 places this vulnerability in the medium severity range, and the EPSS score of less than 1% indicates that the exploitation probability is currently low. It is not listed in the CISA KEV catalog. The likely attack vector is a link\u2011based social\u2011engineering scheme where an attacker supplies a crafted reject_url to a victim, who is then tricked into clicking the approval button. Because the vulnerability is unauthenticated, any user who visits a malicious URL could be exposed."}}}}, "created": "2025-12-08T09:39:24.222960+00:00", "updated": "2026-04-22T04:00:07.993386+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}