CVE-2025-13456

CVE-2025-13456 is a reflected cross-site scripting (XSS) vulnerability in the ShopBuilder WordPress plugin, affecting versions prior to 3.2.2. The plugin fails to sanitize and escape a parameter before outputting it back in the page, allowing an attacker to inject arbitrary JavaScript code [1].

To exploit this, an attacker must craft a malicious link containing the XSS payload and trick a high-privilege user, such as an administrator, into clicking it. The attack relies on social engineering, as no authentication is needed on the attacker's part beyond generating the link. This is a typical reflected XSS attack vector, where the injected script executes in the context of the victim's browser session [1].

Successful exploitation allows an attacker to perform actions on behalf of the privileged victim, including creating new admin accounts, modifying plugin settings, or exfiltrating sensitive data such as session cookies. Given that the target user has elevated privileges, the impact is amplified [1].

The vulnerability has been fixed in ShopBuilder version 3.2.2. Users are strongly advised to update immediately. WordPress site administrators should also consider verifying that no older versions remain in use [1].