1.4.1
CVE-2025-13365 describes a Cross-Site Scripting (XSS) vulnerability discovered in the WP Hallo Welt plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts via Cross-Site Request Forgery (CSRF) attacks, potentially compromising site administrator accounts. The vulnerability affects versions 0.0.0 through 1.4 and requires an administrator to be tricked into performing an action. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13365 is the potential for attackers to inject malicious JavaScript code into WordPress websites using the WP Hallo Welt plugin. Successful exploitation could lead to session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive user data. Because the vulnerability leverages CSRF, an attacker doesn't need to authenticate but can trick an administrator into executing a forged request. The stored nature of the XSS means the injected script persists on the server and can affect multiple visitors. This is particularly concerning for sites with high traffic or sensitive data.
CVE-2025-13365 was publicly disclosed on 2025-12-20. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's nature and the ease of CSRF exploitation suggest a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on CSRF makes it less likely to be exploited in automated campaigns but increases the risk of targeted attacks against specific WordPress installations.
Websites using the WP Hallo Welt plugin, particularly those with administrator accounts that are frequently targeted by phishing or social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / plugin: Use wp-cli to check the installed plugin version:
wp plugin list | grep hallo-welt• wordpress / plugin: Search plugin files for the halloweltseite function and look for missing or incorrect nonce validation.
• generic web: Monitor WordPress error logs for suspicious JavaScript code being injected into plugin settings.
• generic web: Check WordPress admin user activity logs for unusual or unauthorized changes to plugin settings.
disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The immediate mitigation for CVE-2025-13365 is to upgrade to a patched version of the WP Hallo Welt plugin as soon as it becomes available. Until a patch is released, administrators should exercise extreme caution when clicking links or performing actions within the WordPress dashboard, especially if they suspect malicious activity. Implementing a Web Application Firewall (WAF) with CSRF protection rules can also help block malicious requests. Regularly review plugin settings for any unauthorized changes and consider limiting administrator privileges to reduce the potential impact of a successful attack.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13365 is a Cross-Site Scripting (XSS) vulnerability in the WP Hallo Welt WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
You are affected if you are using WP Hallo Welt versions 0.0.0 through 1.4 and have not yet upgraded to a patched version.
Upgrade to a patched version of the WP Hallo Welt plugin as soon as it becomes available. Until then, exercise caution and consider WAF rules.
While no active exploitation has been confirmed, the vulnerability's nature suggests a moderate risk of exploitation, especially through targeted attacks.
Refer to the WP Hallo Welt plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-13365.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。