CVE-2025-13355

Vulnerability

Overview

The URL Shortify WordPress plugin, versions prior to 1.11.4, fails to properly sanitize and escape a parameter before outputting it back in the page. This lack of input validation leads to a Reflected Cross-Site Scripting (XSS) vulnerability [1]. The issue is classified as High severity with a CVSS v3 score of 7.1.

Exploitation

An attacker can craft a malicious URL containing malicious JavaScript and trick a user into clicking it. The vulnerability is particularly dangerous because it can be used against high-privilege users such as administrators [1]. No authentication is required to trigger the reflected XSS, but the attack depends on social engineering to deliver the malicious link to a target user.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. For an admin user, this could lead to session hijacking, creation of rogue admin accounts, or injection of malicious content throughout the WordPress site.

Mitigation

The vulnerability has been fixed in version 1.11.4 of the plugin [1]. Users are strongly advised to update immediately. No workarounds are documented; updating to the patched version is the only reliable mitigation.