CVE-2025-13747

MEDIUM
2025-12-12 [email protected]
6.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 19:39 vuln.today
CVE Published
Dec 12, 2025 - 04:15 nvd
MEDIUM 6.4

Tags

WordPress XSS

Description

The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Analysis

Stored Cross-Site Scripting in NewStatPress WordPress plugin versions up to 1.4.3 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript into pages via a regex bypass in the nsp_shortcode function. When site visitors access pages containing the injected malicious shortcode attribute, the attacker's script executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified; EPSS score of 0.04% reflects the requirement for authenticated access and user interaction.

Technical Context

NewStatPress is a WordPress plugin that processes shortcode attributes through the nsp_shortcode function. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) caused by insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin's regex validation logic designed to restrict malicious input can be bypassed, allowing specially-crafted attribute values to pass through unescaped and reach the page output. WordPress shortcodes are parsed server-side and their output is rendered client-side; when untrusted data reaches the page without proper escaping, browsers interpret it as executable code. The vulnerability affects all versions of NewStatPress up to and including 1.4.3.

Affected Products

NewStatPress WordPress plugin versions 1.4.3 and earlier are affected. The vulnerability exists in the nsp_shortcode function located in includes/nsp-core.php. Organizations running NewStatPress should check their plugin version against the official WordPress plugin repository at https://plugins.trac.wordpress.org/browser/newstatpress/tags/1.4.3/includes/nsp-core.php.

Remediation

Update NewStatPress to the patched version released by the plugin developers. Organizations should immediately review contributor and author-level user accounts on their WordPress installations and audit recent shortcode additions for suspicious attributes. If immediate patching is not possible, restrict contributor-level permissions to only trusted administrators until the patch is deployed. Review the Wordfence vulnerability advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ddc418-9458-4335-afdc-6d40c7e23060 for additional context and confirm the latest patch version availability. Clear any stored malicious shortcodes from published pages before patching.

Priority Score

32
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-13747 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy