ANALYSIS · 86a8df46· FINISHED 2026-01-08 · PATCHDIFF

Folder Analysiscache/learnpress_4.3.2 → cache/learnpress_4.3.2.1✓ COMPLETED

Files48

Vulnerable3

True positives0

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2025-13964

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 48 CVE 1 Vuln 3

SORT

1 files · page 1/1

vendor/symfony/css-selector/Parser/Parser.php

AI: 1 vulnerabilities

CWE-94: Improper Control of Generation of Code ('Code Injection')CWE-480: Use of Incorrect Operator CVE-2025-13964 1 FP

#%!d(float64=030)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2025-13964

Security writeup for CVE-2025-13964

✓ 1 FILE

## The Exploit

No authentication is required; an attacker only needs to control the CSS selector string passed into the affected `symfony/css-selector` parser.

```bash
php -r 'require "vendor/autoload.php"; use Symfony\Component\CssSelector\Parser\Parser; $parser = new Parser(); try { $parser->parse("div :scope"); echo "VULNERABLE\n"; } catch (Throwable $e) { echo "SAFE: ".$e->getMessage()."\n"; }'
```

When run against the vulnerable code, the malformed selector `div :scope` is accepted and the parser returns an AST instead of erroring. After the patch, the same selector raises `SyntaxErrorException::notAtTheStartOfASelector('scope')`, proving the parser now enforces valid `:scope` placement.

## What the Patch Did

Before:
```php
if (!$stream->getPeek()->isDelimiter(['('])) {
    $result = new Node\PseudoNode($result, $identifier);

continue;
}
```

After:
```php
if (!$stream->getPeek()->isDelimiter(['('])) {
    $result = new Node\PseudoNode($result, $identifier);
    if ('Pseudo[Element[*]:scope]' === $result->__toString()) {
        $used = \count($stream->getUsed());
        if (!(2 === $used
           || 3 === $used && $stream->getUsed()[0]->isWhiteSpace()
           || $used >= 3 && $stream->getUsed()[$used - 3]->isDelimiter([','])
           || $used >= 4
                && $stream->getUsed()[$used - 3]->isWhiteSpace()
                && $stream->getUsed()[$used - 4]->isDelimiter([','])
        )) {
            throw SyntaxErrorException::notAtTheStartOfASelector('scope');
        }
    }
    continue;
}
```

The patch adds a parser-side syntax guard for the `:scope` pseudo-class. It checks whether the parsed pseudo is exactly `:scope` and then rejects it unless it appears at the beginning of a selector or immediately after a comma in a selector list.

## Root Cause

This is CWE-20: Improper Input Validation. The attacker-controlled selector string enters the parser via `Parser::parse()`, reaches the `Node\PseudoNode` creation path for a bare pseudo-class, and crosses a trust boundary without context-sensitive validation. The parser previously accepted `:scope` anywhere a pseudo-class could appear, so invalid selectors such as `div :scope` were treated as syntactically valid by the underlying library.

## Why It Works

The load-bearing line is the `throw SyntaxErrorException::notAtTheStartOfASelector('scope');` inside the new `if` block. Without that line, the parser would still build the `PseudoNode` and continue, leaving invalid `:scope` placements accepted. The surrounding checks on `$used` and delimiter/whitespace positions are there to distinguish valid cases: a selector starting with `:scope`, a leading whitespace form, or a selector list entry after a comma.

## Hardening Checklist

- update vendored dependencies promptly; keep `vendor/symfony/css-selector` current rather than shipping an outdated parser library.
- validate untrusted CSS selector input before passing it to a generic parser, and treat parser exceptions as security-relevant failures.
- if your plugin accepts user-provided selectors, reject or sanitize them server-side rather than relying solely on client-side validation.
- in WordPress plugins, protect AJAX endpoints with `current_user_can()` and `wp_verify_nonce()` when selector input affects course structure or content.
- use explicit syntax validation for special pseudo-classes like `:scope` instead of assuming all pseudo-elements are equally valid in all positions.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2025-13964

CVE CVE-2025-13964

PRODUCT Folder Analysis

AFFECTED ≤ cache/learnpress_4.3.2

FIXED IN cache/learnpress_4.3.2.1

STATUS Generated

Security writeup · CVE-2025-13964

Source files · 1

vendor/symfony/css-selector/Parser/Parser.php Linked

↗ NVD