{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13988", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-03T17:05:57.343Z", "datePublished": "2025-12-12T03:20:53.931Z", "dateUpdated": "2026-04-08T17:16:24.790Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:24.790Z"}, "affected": [{"vendor": "thobian", "product": "\u8bc4\u8bba\u5c0f\u79d8\u4e66", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The \u8bc4\u8bba\u5c0f\u79d8\u4e66 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER['PHP_SELF']` variable in the plugin's settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "\u8bc4\u8bba\u5c0f\u79d8\u4e66 <= 1.3.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b24506c2-bf5e-4c71-94a5-c557a09f9f0d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/comments-secretary/trunk/tho_fetion.php#L173"}, {"url": "https://plugins.trac.wordpress.org/browser/comments-secretary/tags/1.3.2/tho_fetion.php#L173"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2025-12-11T15:08:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T19:58:34.566236Z", "id": "CVE-2025-13988", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:12:59.408Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13988", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T19:58:34.566236Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T19:59:25.451Z"}}], "cna": {"title": "\u8bc4\u8bba\u5c0f\u79d8\u4e66 <= 1.3.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "thobian", "product": "\u8bc4\u8bba\u5c0f\u79d8\u4e66", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T15:08:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b24506c2-bf5e-4c71-94a5-c557a09f9f0d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/comments-secretary/trunk/tho_fetion.php#L173"}, {"url": "https://plugins.trac.wordpress.org/browser/comments-secretary/tags/1.3.2/tho_fetion.php#L173"}], "descriptions": [{"lang": "en", "value": "The \u8bc4\u8bba\u5c0f\u79d8\u4e66 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER['PHP_SELF']` variable in the plugin's settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:24.790Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13988", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:24.790Z", "dateReserved": "2025-12-03T17:05:57.343Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:53.931Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The \u8bc4\u8bba\u5c0f\u79d8\u4e66 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER['PHP_SELF']` variable in the plugin's settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-13988", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:45.697", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/comments-secretary/tags/1.3.2/tho_fetion.php#L173"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/comments-secretary/trunk/tho_fetion.php#L173"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b24506c2-bf5e-4c71-94a5-c557a09f9f0d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:31:04.474918+00:00", "value": {"mitigation_remediation": ["Update the \u8bc4\u8bba\u5c0f\u79d8\u4e66 plugin to the latest released version that removes unsanitized use of PHP_SELF.", "If no patch is available, deactivate or delete the plugin entirely to eliminate the vulnerable code path. ", "As a temporary safeguard, configure a web\u2011application firewall or client\u2011side filter to block requests containing common XSS payloads and to escape output in the settings page."], "summary": {"action": "Update Plugin", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress installations running the \u8bc4\u8bba\u5c0f\u79d8\u4e66 plugin up to and including version 1.3.2 are affected. The issue exists in every release prior to 1.3.3, if such a release exists. No specific server regions or configurations are listed, but any site publishing the plugin\u2019s settings page could be vulnerable.", "description_and_impact": "The \u8bc4\u8bba\u5c0f\u79d8\u4e66 WordPress plugin contains a reflected XSS flaw in its settings page because the $_SERVER['PHP_SELF'] value is printed without proper encoding. This bug allows an attacker to embed malicious JavaScript in a URL or form input that is then reflected back to the browser. An unauthenticated user who views the affected page after following a crafted link may be able to execute arbitrary client\u2011side code, potentially hijacking sessions or defacing the site.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.1, indicating moderate severity. The EPSS score of less than 1% shows that, while exploitation is possible, it is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. Based on the description, the likely attack vector is a manipulated URL that causes the victim\u2019s browser to execute attacker\u2011supplied script when they view the plugin page. Only a scenario where an exploitable URL is delivered to a user who then visits the page would lead to impact."}}}}, "created": "2025-12-12T08:48:05.587269+00:00", "updated": "2026-04-20T21:45:18.953078+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}