{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13893", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-02T15:38:02.335Z", "datePublished": "2026-01-09T11:15:30.823Z", "dateUpdated": "2026-04-08T16:37:37.549Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:37.549Z"}, "affected": [{"vendor": "burtrw", "product": "Lesson Plan Book", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Lesson Plan Book <= 1.3 - Reflected Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18696937-5cc5-4e14-940d-fc25468377a3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L719"}, {"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1776"}, {"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1910"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2026-01-08T21:37:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T14:51:11.292290Z", "id": "CVE-2025-13893", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T14:51:20.686Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13893", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T14:51:11.292290Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T14:51:16.638Z"}}], "cna": {"title": "Lesson Plan Book <= 1.3 - Reflected Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "burtrw", "product": "Lesson Plan Book", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-08T21:37:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18696937-5cc5-4e14-940d-fc25468377a3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L719"}, {"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1776"}, {"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1910"}], "descriptions": [{"lang": "en", "value": "The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:37.549Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13893", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:37.549Z", "dateReserved": "2025-12-02T15:38:02.335Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T11:15:30.823Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Lesson Plan Book para WordPress es vulnerable a cross-site scripting reflejado a trav\u00e9s de la variable '$_SERVER['PHP_SELF']' en todas las versiones hasta la 1.3, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-13893", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T12:15:52.493", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1776"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1910"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L719"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18696937-5cc5-4e14-940d-fc25468377a3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:13:37.750508+00:00", "value": {"mitigation_remediation": ["Upgrade the Lesson Plan Book plugin to the latest available version that patches the XSS flaw, or disable the plugin if no update exists.", "If an upgrade is not possible, manually sanitize the `$_SERVER['PHP_SELF']` usage in the plugin code, for example by replacing it with `esc_url( $_SERVER['REQUEST_URI'] )` or ensuring output is properly escaped.", "Deploy a content\u2011security\u2011policy header that restricts inline scripts, or use a web application firewall to filter out the malicious payloads."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This flaw applies to all releases of the Lesson Plan Book plugin by the vendor burtrw up to and including version 1.3. There is no official patch or workaround listed at the time of this analysis, so the unmitigated risk remains for any site still running these affected releases.", "description_and_impact": "The Lesson Plan Book plugin for WordPress is vulnerable to a reflected cross\u2011site scripting flaw that results from the unsanitized use of the PHP superglobal `$_SERVER['PHP_SELF']`. An unauthenticated attacker can craft a URL that injects arbitrary JavaScript into the page output. When a victim clicks the malicious link, the script executes in the victim\u2019s browser. This flaw may lead to disclosure of sensitive data or malicious manipulation of the page content.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.1, indicating a moderate severity, and an EPSS score of less than 1\u202f%, implying a very low probability of exploitation as of now. It is not currently listed in the CISA KEV catalog. The attack can be performed remotely by simply clicking a malicious link; no authentication or privileged access is required. Administrators should treat this as a moderate risk that warrants timely remediation."}}}}, "created": "2026-01-09T13:23:44.899104+00:00", "updated": "2026-04-22T20:15:20.537566+00:00", "vendors": ["burtrw", "burtrw$PRODUCT$lesson_plan_book", "wordpress", "wordpress$PRODUCT$wordpress"]}