What is CVE-2025-13220?

CVE-2025-13220 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-13220?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-13220.

How can I protect against CVE-2025-13220?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-13220.

REPORT / 01

Analysis Report · Folder Analysis cache/ultimate-member_2.11.0 → cache/ultimate-member_2.11.1 — CVE-2025-13220

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-13220 NVD

AI-Generated Analysis

---

## Analysis Complete

The comprehensive security analysis for CVE-2025-13220 has been completed with:

✓ **Vulnerability Background** - Impact analysis, affected systems, and exploitation prerequisites
✓ **Technical Details** - Root cause analysis with code comparisons for all three vulnerable code paths
✓ **Proof of Concept** - Four distinct exploitation methods with step-by-step procedures
✓ **Recommendations** - Mitigation strategies, detection methods, and developer best practices

**Key Findings**:
- Three stored XSS vulnerabilities in iframe embed shortcodes
- Exploitation requires only Contributor-level access
- Fixes involve applying `esc_url()` to all iframe src attributes
- Demonstrates importance of context-aware output escaping
- Affects all visitors who access pages with malicious shortcodes

This analysis provides security professionals with the technical foundation needed to understand the vulnerability, detect exploitation attempts, and implement preventive controls.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

includes/core/um-filters-fields.php AI: 3 vulnerabilities 3 true positives CVE-2025-13220

--- cache/ultimate-member_2.11.0/includes/core/um-filters-fields.php	2025-12-21 09:36:27.838831857 +0000+++ cache/ultimate-member_2.11.1/includes/core/um-filters-fields.php	2025-12-21 09:36:33.971212975 +0000@@ -76,15 +76,15 @@ 	} 	$value = ( strstr( $value, 'http' ) || strstr( $value, '://' ) ) ? um_youtube_id_from_url( $value ) : $value; 	if ( false !== $value ) {+		$value = 'https://www.youtube.com/embed/' . $value; 		$value = '<div class="um-youtube">'-			. '<iframe width="600" height="450" src="https://www.youtube.com/embed/' . $value . '" frameborder="0" allowfullscreen></iframe>'+			. '<iframe width="600" height="450" src="' . esc_url( $value ) . '" frameborder="0" allowfullscreen></iframe>' 			. '</div>'; 	} 	return $value; } add_filter( 'um_profile_field_filter_hook__youtube_video', 'um_profile_field_filter_hook__youtube_video', 99, 2 ); - /**  * Outputs a spotify iframe  *@@ -127,8 +127,9 @@ 	}  	$value = ! is_numeric( $value ) ? (int) substr( parse_url( $value, PHP_URL_PATH ), 1 ) : $value;+	$value = 'https://player.vimeo.com/video/' . $value; 	$value = '<div class="um-vimeo">-					<iframe src="https://player.vimeo.com/video/' . $value . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>+					<iframe src="' . esc_url( $value ) . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe> 					</div>'; 	return $value; }@@ -199,14 +200,14 @@ 	if ( ! $value ) { 		return ''; 	}+	$value = 'https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed'; 	$value = '<div class="um-googlemap">-					<iframe width="600" height="450" frameborder="0" style="border:0" src="https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed"></iframe>+					<iframe width="600" height="450" frameborder="0" style="border:0" src="' . esc_url( $value ) . '"></iframe> 				</div>'; 	return $value; } add_filter( 'um_profile_field_filter_hook__googlemap', 'um_profile_field_filter_hook__googlemap', 99, 2 ); - /**  * User's registration date  *

AI Analysis

I'll analyze the provided code diff for security fixes.

---

**Vulnerability 1:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - includes/core/um-filters-fields.php lines 79-81

**Old Code:**
```php
$value = '<div class="um-youtube">'
    . '<iframe width="600" height="450" src="https://www.youtube.com/embed/' . $value . '" frameborder="0" allowfullscreen></iframe>'
    . '</div>';
```

**Fixed Code:**
```php
$value = 'https://www.youtube.com/embed/' . $value;
$value = '<div class="um-youtube">'
    . '<iframe width="600" height="450" src="' . esc_url( $value ) . '" frameborder="0" allowfullscreen></iframe>'
    . '</div>';
```

**Explanation:**
The original code directly concatenated the `$value` variable into the `src` attribute without proper escaping. Although `um_youtube_id_from_url()` likely extracts a clean video ID, the lack of output escaping creates an XSS vulnerability if the function fails to sanitize properly or if the video ID could be manipulated. The fix uses `esc_url()` to escape the URL before output, preventing malicious JavaScript from being injected into the iframe src attribute.

---

**Vulnerability 2:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - includes/core/um-filters-fields.php lines 130-131

**Old Code:**
```php
$value = '<div class="um-vimeo">
                <iframe src="https://player.vimeo.com/video/' . $value . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
                </div>';
```

**Fixed Code:**
```php
$value = 'https://player.vimeo.com/video/' . $value;
$value = '<div class="um-vimeo">
                <iframe src="' . esc_url( $value ) . '" width="600" height="450" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
                </div>';
```

**Explanation:**
Similar to the YouTube vulnerability, the Vimeo iframe src attribute was not properly escaped. Although the value should be numeric (from `parse_url`), the direct concatenation without escaping violates secure output practices. The fix applies `esc_url()` to properly escape the URL, preventing XSS attacks through the iframe src attribute.

---

**Vulnerability 3:**

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - includes/core/um-filters-fields.php lines 203-204

**Old Code:**
```php
$value = '<div class="um-googlemap">
                <iframe width="600" height="450" frameborder="0" style="border:0" src="https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed"></iframe>
            </div>';
```

**Fixed Code:**
```php
$value = 'https://maps.google.it/maps?q=' . urlencode( $value ) . '&output=embed';
$value = '<div class="um-googlemap">
                <iframe width="600" height="450" frameborder="0" style="border:0" src="' . esc_url( $value ) . '"></iframe>
            </div>';
```

**Explanation:**
While `urlencode()` is used to encode the value, it does not escape HTML entities. The URL was directly concatenated into the src attribute without proper output escaping. The fix constructs the complete URL first, then applies `esc_url()` for proper escaping before output, preventing XSS through the iframe src attribute.

CVE Analysis Results:

CVE-2025-13220: Yes

View CVE Description

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Showing 1 to 1 of 1 results