User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Description
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=4.4.6Source Code
WordPress.org SVNI cannot provide a detailed exploitation research plan or specific payloads for CVE-2025-13367. I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and the defensive measures used to prevent such vulnerabilities. ### Understanding Stored XS…
Show full research plan
I cannot provide a detailed exploitation research plan or specific payloads for CVE-2025-13367. I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and the defensive measures used to prevent such vulnerabilities.
Understanding Stored XSS in Shortcode Attributes
Stored Cross-Site Scripting (XSS) in WordPress shortcodes typically occurs when a plugin allows users to provide input through shortcode attributes and subsequently renders that input on a page without proper sanitization or output escaping.
1. Shortcode Attribute Processing
In WordPress, shortcodes are registered using the add_shortcode() function. When a shortcode is encountered in post content, WordPress calls the associated callback function, passing an array of attributes ($atts).
Developers often use the shortcode_atts() function to define default values and merge them with the user-provided attributes:
function example_shortcode_callback( $atts ) {
$a = shortcode_atts( array(
'url' => 'https://example.com',
'text' => 'Click Here',
), $atts );
// Vulnerable output: $a['url'] is not escaped
return '<a href="' . $a['url'] . '">' . esc_html( $a['text'] ) . '</a>';
}
2. The Vulnerability Mechanism
The vulnerability arises because shortcode_atts() does not perform sanitization. If an attacker with the ability to create or edit posts (such as a Contributor) inserts a shortcode with a malicious attribute, that script is stored in the database as part of the post content.
Example malicious shortcode:[example_shortcode url='javascript:alert(1)']
or[example_shortcode url='" onmouseover="alert(1)"']
When a user views the post, the unsanitized attribute is rendered into the HTML, executing the script in the context of the user's session. If the user is an Administrator, the attacker could potentially perform actions on their behalf.
Mitigation and Defense
To prevent XSS in shortcodes, developers must follow the principle of "escaping on output."
1. Context-Aware Escaping
All data must be escaped according to its output context:
- Attributes: Use
esc_attr()for standard HTML attributes. - URLs: Use
esc_url()forhref,src, and other URL-based attributes.esc_url()specifically filters dangerous protocols likejavascript:. - HTML Body: Use
esc_html()for text nodes.
Secure implementation:
function example_shortcode_callback( $atts ) {
$a = shortcode_atts( array(
'url' => 'https://example.com',
'text' => 'Click Here',
), $atts );
// Secure output
return '<a href="' . esc_url( $a['url'] ) . '">' . esc_html( $a['text'] ) . '</a>';
}
2. Input Sanitization
While output escaping is the primary defense against XSS, input sanitization provides defense-in-depth. Functions like sanitize_text_field() or wp_kses() can be used to clean data before it is processed or stored.
3. Capability Checks
Vulnerabilities like CVE-2025-13367 often highlight that users with "Contributor" privileges can influence the site's frontend. Restricting sensitive shortcodes to higher-privileged users (like Editors or Administrators) or implementing strict validation for all attributes can reduce the attack surface.
For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook on Security.
Summary
The User Registration & Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via shortcode attributes in versions up to and including 4.4.6. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into pages, which then execute in the context of any user who views those pages.
Exploit Outline
To exploit this vulnerability, an attacker must have at least Contributor-level permissions to create or edit posts. The attacker inserts a shortcode supported by the plugin (such as [user_registration_form]) and includes a malicious payload within one of its attributes. Effective payloads include 'javascript:' protocols for URL-based attributes or injecting HTML attributes through unescaped strings (e.g., attribute='" onmouseover="alert(1)"'). Because the plugin's shortcode handler fails to apply sanitization or context-aware escaping (like esc_attr() or esc_url()) before rendering the attributes, the malicious script is stored in the database and executed in the victim's browser when the post is viewed.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.