What is CVE-2025-13838?

CVE-2025-13838 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-13838?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-13838.

How can I protect against CVE-2025-13838?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-13838.

REPORT / 01

Analysis Report · Folder Analysis cache/wishsuite_1.5.1 → cache/wishsuite_1.5.2 — CVE-2025-13838

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-13838 NVD

AI-Generated Analysis

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

includes/classes/Frontend/Shortcode.php AI: 1 vulnerabilities 1 true positive CVE-2025-13838

--- cache/wishsuite_1.5.1/includes/classes/Frontend/Shortcode.php	2025-12-22 00:31:06.121139753 +0000+++ cache/wishsuite_1.5.2/includes/classes/Frontend/Shortcode.php	2025-12-22 00:31:11.025443281 +0000@@ -143,6 +143,14 @@             'template_name'     => ( $has_product === true ) ? 'exist' : 'add',         );         $atts = shortcode_atts( $default_atts, $atts, $content );++        // Sanitize shortcode attributes to prevent XSS+        // Uses custom allowed HTML that includes SVG elements for button icons+        $allowed_html = $this->get_allowed_button_html();+        $atts['button_text'] = wp_kses( $atts['button_text'], $allowed_html );+        $atts['button_added_text'] = wp_kses( $atts['button_added_text'], $allowed_html );+        $atts['button_exist_text'] = wp_kses( $atts['button_exist_text'], $allowed_html );+         return Manage_Wishlist::instance()->button_html( $atts );      }@@ -263,5 +271,42 @@      } +    /**+     * Get allowed HTML tags for button text sanitization (includes SVG)+     * @return array+     */+    private function get_allowed_button_html() {+        $allowed = wp_kses_allowed_html( 'post' );++        // Add SVG support for button icons+        $svg_args = array(+            'svg' => array(+                'class'             => true,+                'id'                => true,+                'xmlns'             => true,+                'width'             => true,+                'height'            => true,+                'viewbox'           => true,+                'fill'              => true,+                'stroke'            => true,+                'stroke-width'      => true,+                'style'             => true,+                'enable-background' => true,+            ),+            'g' => array(+                'class' => true,+                'id'    => true,+                'fill'  => true,+            ),+            'path' => array(+                'class' => true,+                'd'     => true,+                'fill'  => true,+            ),+        );++        return array_merge( $allowed, $svg_args );+    }+  }\ No newline at end of file

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/classes/Frontend/Shortcode.php, lines 146-149

Old Code:
```php
$atts = shortcode_atts( $default_atts, $atts, $content );
return Manage_Wishlist::instance()->button_html( $atts );
```

Fixed Code:
```php
$atts = shortcode_atts( $default_atts, $atts, $content );

// Sanitize shortcode attributes to prevent XSS
// Uses custom allowed HTML that includes SVG elements for button icons
$allowed_html = $this->get_allowed_button_html();
$atts['button_text'] = wp_kses( $atts['button_text'], $allowed_html );
$atts['button_added_text'] = wp_kses( $atts['button_added_text'], $allowed_html );
$atts['button_exist_text'] = wp_kses( $atts['button_exist_text'], $allowed_html );

return Manage_Wishlist::instance()->button_html( $atts );
```

Explanation:
The vulnerability existed because user-supplied shortcode attributes (`button_text`, `button_added_text`, `button_exist_text`) were passed directly to `button_html()` without sanitization. This allowed attackers to inject arbitrary HTML and JavaScript through shortcode attributes. The fix applies `wp_kses()` sanitization to these attributes before use, removing potentially malicious code while preserving safe HTML including SVG elements needed for button icons. The `get_allowed_button_html()` method defines a whitelist of allowed tags and attributes, implementing proper output escaping consistent with WordPress security best practices.

CVE Analysis Results:

CVE-2025-13838: Yes

View CVE Description

The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter of the 'wishsuite_button' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Showing 1 to 1 of 1 results