Platform
wordpress
Component
wp-hallo-welt
Fixed in
1.4.1
CVE-2025-13365 describes a Cross-Site Scripting (XSS) vulnerability discovered in the WP Hallo Welt plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts via Cross-Site Request Forgery (CSRF) attacks, potentially compromising site administrator accounts. The vulnerability affects versions 0.0.0 through 1.4 and requires an administrator to be tricked into performing an action. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13365 is the potential for attackers to inject malicious JavaScript code into WordPress websites using the WP Hallo Welt plugin. Successful exploitation could lead to session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive user data. Because the vulnerability leverages CSRF, an attacker doesn't need to authenticate but can trick an administrator into executing a forged request. The stored nature of the XSS means the injected script persists on the server and can affect multiple visitors. This is particularly concerning for sites with high traffic or sensitive data.
CVE-2025-13365 was publicly disclosed on 2025-12-20. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's nature and the ease of CSRF exploitation suggest a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on CSRF makes it less likely to be exploited in automated campaigns but increases the risk of targeted attacks against specific WordPress installations.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-13365 is to upgrade to a patched version of the WP Hallo Welt plugin as soon as it becomes available. Until a patch is released, administrators should exercise extreme caution when clicking links or performing actions within the WordPress dashboard, especially if they suspect malicious activity. Implementing a Web Application Firewall (WAF) with CSRF protection rules can also help block malicious requests. Regularly review plugin settings for any unauthorized changes and consider limiting administrator privileges to reduce the potential impact of a successful attack.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13365 is a Cross-Site Scripting (XSS) vulnerability in the WP Hallo Welt WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
You are affected if you are using WP Hallo Welt versions 0.0.0 through 1.4 and have not yet upgraded to a patched version.
Upgrade to a patched version of the WP Hallo Welt plugin as soon as it becomes available. Until then, exercise caution and consider WAF rules.
While no active exploitation has been confirmed, the vulnerability's nature suggests a moderate risk of exploitation, especially through targeted attacks.
Refer to the WP Hallo Welt plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-13365.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.