{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13747", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-26T15:20:39.095Z", "datePublished": "2025-12-12T03:21:01.204Z", "dateUpdated": "2026-04-08T17:30:27.170Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:27.170Z"}, "affected": [{"vendor": "ice00", "product": "NewStatPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ddc418-9458-4335-afdc-6d40c7e23060?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/newstatpress/tags/1.4.3/includes/nsp-core.php#L637"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426875%40newstatpress&new=3426875%40newstatpress&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-17T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-11T14:35:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T20:37:52.031593Z", "id": "CVE-2025-13747", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:38:01.607Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13747", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T20:37:52.031593Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:37:57.832Z"}}], "cna": {"title": "NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ice00", "product": "NewStatPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-17T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-11T14:35:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ddc418-9458-4335-afdc-6d40c7e23060?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/newstatpress/tags/1.4.3/includes/nsp-core.php#L637"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426875%40newstatpress&new=3426875%40newstatpress&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:27.170Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13747", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:27.170Z", "dateReserved": "2025-11-26T15:20:39.095Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:21:01.204Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13747", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:42.157", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/newstatpress/tags/1.4.3/includes/nsp-core.php#L637"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426875%40newstatpress&new=3426875%40newstatpress&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ddc418-9458-4335-afdc-6d40c7e23060?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:28:35.044312+00:00", "value": {"mitigation_remediation": ["Upgrade the NewStatPress plugin to a version later than 1.4.3.", "Adjust WordPress user roles so that contributors cannot insert the vulnerable shortcode or content that triggers it.", "Audit existing posts and pages for stored script payloads and remove any malicious code that may have been injected."], "summary": {"action": "Patch immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations using the NewStatPress plugin, any release up to and including version\u202f1.4.3. The vulnerability affects all users who have contributed content or higher roles that interact with the plugin\u2019s shortcode functionality.\n", "description_and_impact": "The NewStatPress WordPress plugin contains a stored cross\u2011site scripting flaw that is triggered by a regular expression bypass in the nsp_shortcode function. Unsanitized, user\u2011supplied attributes are stored and later rendered without proper escaping, allowing an attacker to inject arbitrary JavaScript into page content. When a victim page is viewed, the injected script executes in the victim\u2019s browser with the privileges of the page, enabling session hijacking, data theft, or defacement. The weakness is identified as CWE\u201179 and grants attackers the ability to run code within the context of the site\u2019s users.\n", "risk_and_exploitability": "The CVSS score of 6.4 places this issue in the moderate category, while the EPSS score of less than 1% indicates a low probability of active exploitation. The attack requires authenticated access with at least contributor privileges and is limited to the scope of pages that employ the affected shortcode. The lack of a KEV listing suggests that mass exploitation has not been observed yet, but the medium severity and the need for legitimate WordPress permissions mean the flaw should still be treated with priority.\n"}}}}, "created": "2025-12-12T08:48:16.622969+00:00", "updated": "2026-04-20T21:30:18.594278+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}