Plataforma
wordpress
Componente
wp-hallo-welt
Corrigido em
1.4.1
CVE-2025-13365 describes a Cross-Site Scripting (XSS) vulnerability discovered in the WP Hallo Welt plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts via Cross-Site Request Forgery (CSRF) attacks, potentially compromising site administrator accounts. The vulnerability affects versions 0.0.0 through 1.4 and requires an administrator to be tricked into performing an action. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13365 is the potential for attackers to inject malicious JavaScript code into WordPress websites using the WP Hallo Welt plugin. Successful exploitation could lead to session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive user data. Because the vulnerability leverages CSRF, an attacker doesn't need to authenticate but can trick an administrator into executing a forged request. The stored nature of the XSS means the injected script persists on the server and can affect multiple visitors. This is particularly concerning for sites with high traffic or sensitive data.
CVE-2025-13365 was publicly disclosed on 2025-12-20. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's nature and the ease of CSRF exploitation suggest a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on CSRF makes it less likely to be exploited in automated campaigns but increases the risk of targeted attacks against specific WordPress installations.
Websites using the WP Hallo Welt plugin, particularly those with administrator accounts that are frequently targeted by phishing or social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / plugin: Use wp-cli to check the installed plugin version:
wp plugin list | grep hallo-welt• wordpress / plugin: Search plugin files for the halloweltseite function and look for missing or incorrect nonce validation.
• generic web: Monitor WordPress error logs for suspicious JavaScript code being injected into plugin settings.
• generic web: Check WordPress admin user activity logs for unusual or unauthorized changes to plugin settings.
disclosure
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The immediate mitigation for CVE-2025-13365 is to upgrade to a patched version of the WP Hallo Welt plugin as soon as it becomes available. Until a patch is released, administrators should exercise extreme caution when clicking links or performing actions within the WordPress dashboard, especially if they suspect malicious activity. Implementing a Web Application Firewall (WAF) with CSRF protection rules can also help block malicious requests. Regularly review plugin settings for any unauthorized changes and consider limiting administrator privileges to reduce the potential impact of a successful attack.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e empregue mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-13365 is a Cross-Site Scripting (XSS) vulnerability in the WP Hallo Welt WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
You are affected if you are using WP Hallo Welt versions 0.0.0 through 1.4 and have not yet upgraded to a patched version.
Upgrade to a patched version of the WP Hallo Welt plugin as soon as it becomes available. Until then, exercise caution and consider WAF rules.
While no active exploitation has been confirmed, the vulnerability's nature suggests a moderate risk of exploitation, especially through targeted attacks.
Refer to the WP Hallo Welt plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-13365.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.