Medium severity5.4NVD Advisory· Published Dec 6, 2025· Updated Apr 15, 2026
CVE-2025-13308
CVE-2025-13308
Description
The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the "No, I do not approve of this connection" button, granted they can successfully trick the victim into performing an action such as clicking on a link.
Affected products
2<=0.1.3+ 1 more
- (no CPE)range: <=0.1.3
- (no CPE)range: <=0.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/auth-app.jsnvd
- plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.phpnvd
- plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/59fdfdf3-e9fe-44d2-82f4-7a612a51d376nvd
News mentions
0No linked articles in our index yet.