{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13838", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-01T18:44:29.304Z", "datePublished": "2025-12-21T02:20:31.615Z", "dateUpdated": "2026-04-08T16:51:40.521Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:40.521Z"}, "affected": [{"vendor": "htplugins", "product": "WishSuite \u2013 Wishlist for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter of the 'wishsuite_button' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WishSuite <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e1cd584-ffb8-43d6-a7b6-141c59ac463d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wishsuite/trunk/includes/templates/wishsuite-button-add.php#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/wishsuite/tags/1.5.1/includes/templates/wishsuite-button-add.php#L1"}, {"url": "https://plugins.trac.wordpress.org/changeset/3419202/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2025-12-01T18:59:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-20T14:14:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T20:25:20.798001Z", "id": "CVE-2025-13838", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:25:30.097Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T20:25:20.798001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:25:24.265Z"}}], "cna": {"title": "WishSuite <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "htplugins", "product": "WishSuite \u2013 Wishlist for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-01T18:59:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-20T14:14:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e1cd584-ffb8-43d6-a7b6-141c59ac463d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wishsuite/trunk/includes/templates/wishsuite-button-add.php#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/wishsuite/tags/1.5.1/includes/templates/wishsuite-button-add.php#L1"}, {"url": "https://plugins.trac.wordpress.org/changeset/3419202/"}], "descriptions": [{"lang": "en", "value": "The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter of the 'wishsuite_button' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:40.521Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13838", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:40.521Z", "dateReserved": "2025-12-01T18:44:29.304Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-21T02:20:31.615Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter of the 'wishsuite_button' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13838", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-21T03:15:51.993", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wishsuite/tags/1.5.1/includes/templates/wishsuite-button-add.php#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wishsuite/trunk/includes/templates/wishsuite-button-add.php#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3419202/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e1cd584-ffb8-43d6-a7b6-141c59ac463d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:57:46.246827+00:00", "value": {"mitigation_remediation": ["Upgrade WishSuite to the latest version (1.5.2 or newer).", "If an upgrade cannot be performed immediately, identify and edit all instances of the wishsuite_button shortcode to remove or sanitize the button_text attribute, or temporarily disable the shortcode on pages until the patch is applied.", "Restrict Contributor-level and higher user roles from editing content that includes the wishsuite_button shortcode or downgrade those capabilities until the fix is in place."], "summary": {"action": "Apply Patch", "impact": "Stored Cross-Site Scripting via the button_text attribute of the wishsuite_button shortcode"}, "threat_synthesis": {"affected_systems": "All installations of the WishSuite \u2013 Wishlist for WooCommerce plugin for WordPress, specifically versions up to and including 1.5.1.", "description_and_impact": "The WishSuite \u2013 Wishlist for WooCommerce plugin is vulnerable because the button_text attribute of the wishsuite_button shortcode is stored without proper sanitization or escaping. An attacker who can log in with Contributor or higher privileges can insert arbitrary JavaScript into that attribute. When a page containing the shortcode is rendered, the injected script runs in the browser of any visitor, potentially allowing theft of session cookies, defacement, or malicious redirects. This compromise affects the confidentiality and integrity of site content for users who view the affected page.", "risk_and_exploitability": "The CVSS score of 6.4 characterizes this flaw as a medium\u2011severity vulnerability. The EPSS score of less than 1% indicates a low probability of current exploitation, and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated user with Contributor-level access or higher who can edit content that includes the wishsuite_button shortcode. Once an injection is stored, any visitor who loads a page containing the shortcode will automatically execute the malicious script, so the impact is client\u2011side but can be used for serious user\u2011targeted attacks."}}}}, "created": "2025-12-23T22:52:27.544044+00:00", "updated": "2026-04-21T17:00:12.332443+00:00", "vendors": ["htplugins", "htplugins$PRODUCT$wishsuite", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}