CVE-2025-13418 Scanner

The Responsive Pricing Table plugin, a popular tool for WordPress, is often utilized by website owners and developers to create attractive and functional pricing tables with ease. It is particularly favored by small to mid-sized businesses, bloggers, and e-commerce platforms aiming to display pricing information effectively on their websites. By providing easy customization and responsive design, it serves a broad user base demanding versatile pricing presentation options. The plugin supports comprehensive features that cater to users wanting to highlight service features, benefits, and costs efficiently. Despite its extensive utility, plugins like this are susceptible to vulnerabilities if not appropriately managed and updated. Therefore, it is crucial for users to stay vigilant against emerging threats that could exploit such popular plugins.

This particular vulnerability pertains to a Stored Cross-Site Scripting (XSS) issue present in the Responsive Pricing Table plugin for WordPress. It allows an authenticated user with Author-level access to inject arbitrary web scripts into the plugin settings. This vulnerability arises due to insufficient input sanitization and inadequate output escaping in the 'plan_icons' parameter. Consequently, the malicious scripts can be stored and executed in a browsing context of an administrator managing the pricing table. This vulnerability is particularly concerning as it permits threat actors to execute scripts that can result in the unintended execution of JavaScript in an administrator's browser. Such vulnerabilities are deemed significant as they allow for further potential exploits or data theft, thereby compromising the integrity of the site and user data.

The technical details of the vulnerability involve exploiting the 'plan_icons' parameter during the pricing table creation or modification phase. An attacker with necessary permissions could manipulate this parameter to include harmful scripts. These scripts can then be triggered when an admin user accesses the manage or edit interface of the pricing table entries. Essentially, the 'plan_icons' parameter does not properly sanitize the user input nor escape the output, allowing malicious XSS vectors to persist in the admin view. This lack of input validation or sanitization is a critical flaw, providing an entry point for potential attackers to inject JavaScript exploits. The vulnerability may thus be leveraged to target administrative actions or data on the compromised site.

When exploited, this vulnerability can result in severe outcomes like stealing session cookies, redirecting admin users to arbitrary sites, or launching further targeted attacks. Attackers may gather sensitive information by executing JavaScript payloads that manipulate the Document Object Model (DOM) to capture login credentials or perform actions on behalf of the administrator. Furthermore, it might lead to the introduction of backdoors or redirect traffic to malicious destinations, severely impacting the credibility and function of the affected website. Given the potential for considerable impact on business operations and user privacy, mitigation actions are crucial to prevent exploitation.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/id/5d28fd23-fa86-4353-b1b4-af61192f8482
• https://wordpress.org/plugins/dk-pricr-responsive-pricing-table/
• https://nvd.nist.gov/vuln/detail/CVE-2025-13418