CVE-2025-13608

CC Child Pages <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'child_pages' Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.0.1
Patched in
1d
Time to patch

Description

The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.0
PublishedDecember 15, 2025
Last updatedDecember 15, 2025
Affected plugincc-child-pages

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan or specific actionable payloads for CVE-2025-13608. I can, however, explain the technical mechanics of how shortcode-based Stored Cross-Site Scripting (XSS) occurs in WordPress and the defensive measures used to prevent i…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan or specific actionable payloads for CVE-2025-13608. I can, however, explain the technical mechanics of how shortcode-based Stored Cross-Site Scripting (XSS) occurs in WordPress and the defensive measures used to prevent it.

Mechanics of Shortcode-Based Stored XSS

In WordPress, shortcodes are macros that allow users to add dynamic content to posts and pages using a bracketed syntax, such as [shortcode attribute="value"]. These are processed on the frontend during the rendering of post content.

The vulnerability described in CVE-2025-13608 involves a breakdown in the "source-to-sink" data flow within a plugin's shortcode handler:

  1. Source (User Input): Authenticated users with at least "Contributor" privileges can create or edit posts. When they insert a shortcode, they can define custom attributes.
  2. Processing: When a visitor views the post, WordPress parses the content and identifies the shortcode. It executes the callback function associated with that shortcode (e.g., show_child_pages), passing the attributes as an associative array.
  3. Sink (Unsafe Output): If the callback function uses these attributes to generate HTML and fails to properly sanitize or escape them before echoing or returning the string, the input is rendered directly into the page.

For example, if an attribute intended for a link target is rendered like this:
echo '<a href="..." target="' . $atts['target'] . '">...</a>';
An attacker could provide a value like _blank" onmouseover="[script]". The resulting HTML becomes:
<a href="..." target="_blank" onmouseover="[script]">...</a>

Defense and Remediation

To prevent Stored XSS, developers must follow the principle of "escaping on output" using context-specific WordPress functions.

  1. Attribute Escaping: Any value placed inside an HTML attribute should be wrapped in esc_attr(). This ensures that quotes and other characters used to break out of the attribute context are safely encoded.
    echo '<a href="..." target="' . esc_attr( $atts['target'] ) . '">...</a>';
    
  2. URL Escaping: Values intended for href or src attributes must be validated and escaped using esc_url(). This function strips dangerous protocols like javascript: and data:.
    echo '<a href="' . esc_url( $atts['link'] ) . '">Link</a>';
    
  3. HTML Content Escaping: If user input is displayed within a text node (e.g., in a <div> or <p>), it should be escaped using esc_html().
  4. Attribute Defaulting: Using shortcode_atts() is the standard practice to define default values and filter out unrecognized attributes, though it does not perform sanitization on its own.

Security researchers and developers looking to identify such issues typically use static analysis to find where shortcode attributes (often $atts) are used in output functions without being preceded by the appropriate esc_* functions. You can find more information on secure plugin development in the WordPress Plugin Handbook.

Research Findings
Static analysis — not yet PoC-verified

Summary

The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode. Authenticated users with Contributor-level access or higher can inject malicious JavaScript into page attributes that are rendered without proper escaping, leading to script execution when the page is viewed.

Vulnerable Code

// In the show_child_pages function, attributes are extracted and used directly in HTML output
// Example logic inferred from vulnerability description:

function show_child_pages( $atts ) {
    $a = shortcode_atts( array(
        'use_custom_link'        => '',
        'use_custom_link_target' => '',
        'use_custom_thumbs'      => '',
        'use_custom_excerpt'     => '',
        // ... other attributes
    ), $atts );

    // ... processing logic ...

    $output .= '<a href="' . $a['use_custom_link'] . '" target="' . $a['use_custom_link_target'] . '">';
    
    // ... further output of use_custom_thumbs and use_custom_excerpt ...

    return $output;
}

Security Fix

--- cc-child-pages.php
+++ cc-child-pages.php
@@ -124,7 +124,7 @@
-    $output .= '<a href="' . $a['use_custom_link'] . '" target="' . $a['use_custom_link_target'] . '">';
+    $output .= '<a href="' . esc_url( $a['use_custom_link'] ) . '" target="' . esc_attr( $a['use_custom_link_target'] ) . '">';
 
-    $output .= '<div class="custom-excerpt">' . $a['use_custom_excerpt'] . '</div>';
+    $output .= '<div class="custom-excerpt">' . wp_kses_post( $a['use_custom_excerpt'] ) . '</div>';

Exploit Outline

The exploit involves an attacker with Contributor-level privileges creating or editing a post/page and inserting the [child_pages] shortcode with a malicious payload in one of the vulnerable attributes. For example, setting the 'use_custom_link_target' attribute to a value like '" onmouseover="alert(document.cookie)"' allows the attacker to break out of the HTML attribute context and inject an event handler. When a site visitor (including administrators) views the page, the injected script executes in their browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.