{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13365", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-18T17:08:35.108Z", "datePublished": "2025-12-20T03:20:25.202Z", "dateUpdated": "2026-04-08T17:29:31.845Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:31.845Z"}, "affected": [{"vendor": "tikolan", "product": "WP Hallo Welt", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting."}], "title": "WP Hallo Welt <= 1.4. - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e422aa58-a335-4734-bbcd-d400bd44bc89?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/tags/1.4./hallowelt.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L54"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L66"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L27"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-12-19T15:06:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T20:28:33.044697Z", "id": "CVE-2025-13365", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:28:41.313Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13365", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T20:28:33.044697Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:28:37.108Z"}}], "cna": {"title": "WP Hallo Welt <= 1.4. - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "tikolan", "product": "WP Hallo Welt", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4."}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T15:06:21.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e422aa58-a335-4734-bbcd-d400bd44bc89?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/tags/1.4./hallowelt.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L54"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L66"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L27"}], "descriptions": [{"lang": "en", "value": "The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-20T03:20:25.202Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13365", "state": "PUBLISHED", "dateUpdated": "2025-12-22T20:28:41.313Z", "dateReserved": "2025-11-18T17:08:35.108Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-20T03:20:25.202Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting."}], "id": "CVE-2025-13365", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-20T04:16:07.367", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/tags/1.4./hallowelt.php#L53"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L27"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L53"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L54"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L66"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e422aa58-a335-4734-bbcd-d400bd44bc89?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:40:30.713584+00:00", "value": {"mitigation_remediation": ["Update WP Hallo Welt to the latest stable release", "If an immediate update is not possible, uninstall or disable the plugin entirely to prevent malicious configuration changes", "Configure a web application firewall or enforce CSRF tokens on admin endpoints to mitigate future risk"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "WordPress installations running the WP Hallo Welt plugin version 1.4 or earlier are affected. The vulnerability exists in all builds through tag 1.4 inclusive, and any site deploying the plugin at that version or lower is vulnerable.", "description_and_impact": "The WP Hallo Welt plugin for WordPress contains a Cross\u2011Site Request Forgery vulnerability that allows unauthenticated attackers to forge requests to the \u2018hallo_welt_seite\u2019 function. Because nonce validation is missing or incorrect, an attacker can trick a site administrator into unknowingly submitting a crafted request that changes plugin settings and injects arbitrary JavaScript. This results in stored Cross\u2011Site Scripting that can execute in the browsers of any user who visits affected pages, compromising confidentiality, integrity, and availability of the site content.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity, and the EPSS score of <\u202f1% suggests that exploitation is currently unlikely, though the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a CSRF request where the attacker lures a logged\u2011in administrator to click a malicious link or submit a forged form. Given the missing nonce and unsanitized input, success would result in persistent XSS, allowing attackers to steal session cookies, deface websites, or spread malware to site visitors."}}}}, "created": "2025-12-21T21:12:34.894833+00:00", "updated": "2026-04-21T00:45:23.096308+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}