What is CVE-2025-13456?

CVE-2025-13456 is a publicly disclosed cybersecurity vulnerability with a MEDIUM severity rating and CVSS score of 6.1.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-13456

MEDIUM6.1/ 10.0

Published: January 2, 2026 at 06:15 AM

Modified: January 2, 2026 at 10:15 PM

Source: contact@wpscan.com

Vulnerability Description

The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVSS Metrics

Base Score

6.1

Severity

MEDIUM

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Security Analysis

01 // Technical Summary

ShopBuilder WordPress plugin versions prior to 3.2.2 are vulnerable to a Reflected Cross-Site Scripting (XSS) attack. This vulnerability allows attackers to inject malicious JavaScript code into the plugin's pages, potentially enabling account takeover and data theft from privileged users, including administrators.

02 // Vulnerability Mechanism

Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within a specific parameter that the ShopBuilder plugin processes.

Step 2: User Interaction: The attacker lures a privileged user (e.g., an administrator) to click the crafted URL, perhaps through phishing or social engineering.

Step 3: Payload Execution: When the user clicks the malicious URL, the browser sends the request to the vulnerable ShopBuilder plugin. The plugin, due to the lack of sanitization, includes the attacker's JavaScript payload in the response.

Step 4: Code Rendering: The user's browser receives the response containing the malicious JavaScript and executes it.

Step 5: Attack Execution: The executed JavaScript can perform various malicious actions, such as stealing the user's session cookies, redirecting the user to a phishing site, or modifying the website's content.

03 // Deep Technical Analysis

The vulnerability stems from a lack of proper input sanitization and output escaping within the ShopBuilder plugin. Specifically, a parameter is not correctly processed before being displayed on a webpage. This allows an attacker to inject malicious JavaScript code into the parameter, which is then rendered by the user's browser. The root cause is a missing or inadequate implementation of security best practices, such as input validation and output encoding, leading to the XSS vulnerability.