{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13863", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-01T21:07:47.854Z", "datePublished": "2025-12-06T05:49:32.872Z", "dateUpdated": "2026-04-08T17:20:49.659Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:49.659Z"}, "affected": [{"vendor": "krupenik", "product": "RevInsite", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "RevInsite <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c52de26a-d52c-4b2e-8e51-731115d29bd0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/revinsite/trunk/revinsite.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/revinsite/tags/1.1.0/revinsite.php#L25"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2025-12-05T17:46:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:31:09.583419Z", "id": "CVE-2025-13863", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:31:22.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13863", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:31:09.583419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:31:16.499Z"}}], "cna": {"title": "RevInsite <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "krupenik", "product": "RevInsite", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:46:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c52de26a-d52c-4b2e-8e51-731115d29bd0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/revinsite/trunk/revinsite.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/revinsite/tags/1.1.0/revinsite.php#L25"}], "descriptions": [{"lang": "en", "value": "The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-06T05:49:32.872Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13863", "state": "PUBLISHED", "dateUpdated": "2025-12-08T21:31:22.276Z", "dateReserved": "2025-12-01T21:07:47.854Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:32.872Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13863", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:52.807", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/revinsite/tags/1.1.0/revinsite.php#L25"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/revinsite/trunk/revinsite.php#L25"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c52de26a-d52c-4b2e-8e51-731115d29bd0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:02:35.173193+00:00", "value": {"mitigation_remediation": ["Upgrade RevInsite to a fixed version that escapes token input", "If an update is not immediately possible, restrict or downgrade Contributor and higher privileges for users who can edit shortcode\u2011containing pages", "Implement a site\u2011wide Content Security Policy that blocks inline script execution or limit script sources, or use a security plugin to sanitize shortcodes and block XSS payloads"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting that can lead to arbitrary script execution in other users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of RevInsite up to and including version 1.1.0. Any site running the plugin in those versions is at risk, regardless of WordPress core version, provided that contributors or higher\u2011privileged roles can delete or edit pages that include the vulnerable shortcode.", "description_and_impact": "RevInsite, a WordPress plugin by krupenik, contains a stored Cross\u2011Site Scripting vulnerability through the token parameter in its shortcodes. The plugin fails to sanitize or escape the token value, allowing an authenticated user with Contributor or higher privileges to embed arbitrary JavaScript. When a victim visits a page containing the injected content, the script executes in the victim\u2019s browser, enabling data theft, session hijacking, or defacement. The flaw is classified as CWE\u201179.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1\u202f%, suggesting a low likelihood of exploitation at this time. The flaw is not currently listed in CISA\u2019s KEV catalog. Successful exploitation requires authentication with at least Contributor level; once achieved, the attacker can execute arbitrary JavaScript in the browsers of other site visitors. The risk is mitigated when the site restricts Contributor rights or disables the shortcode feature."}}}}, "created": "2025-12-08T09:39:29.170931+00:00", "updated": "2026-04-21T01:15:20.119700+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}