CVE-2025-13604 in Login Security, FireWall, Malware removal by CleanTalk Plugin
Summary
by MITRE • 12/09/2025
The Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the page URL in all versions up to, and including, 2.168 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/10/2025
The vulnerability identified as CVE-2025-13604 affects the Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress, representing a critical stored cross-site scripting flaw that has persisted through all versions up to and including 2.168. This security weakness stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating a persistent vector for malicious actors to inject harmful scripts into WordPress pages. The vulnerability specifically targets the page URL handling functionality, where user-supplied input is not properly validated or escaped before being rendered in web pages, thereby enabling attackers to execute malicious code in the context of any user's browser who visits the compromised page.
The technical exploitation of this vulnerability occurs through the manipulation of page URLs that are processed by the CleanTalk plugin's security features. When an attacker crafts a malicious URL containing script payloads and convinces a victim to navigate to that page, the stored XSS vulnerability allows the injected scripts to execute automatically in the victim's browser environment. This type of vulnerability falls under CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications, and represents a fundamental failure in input validation and output encoding practices that are essential for web application security. The stored nature of this XSS vulnerability means that the malicious scripts are permanently embedded within the application's data storage and will execute each time the affected page is accessed, making it particularly dangerous for long-term persistence.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious sites. Attackers can leverage this vulnerability to steal administrator credentials, modify website content, or establish persistent backdoors within the WordPress environment. The unauthenticated nature of the attack means that no prior access or privileges are required to exploit this vulnerability, making it particularly attractive to threat actors who seek to compromise WordPress installations with minimal effort. This vulnerability directly maps to ATT&CK technique T1566.001, which describes social engineering through spearphishing with malicious attachments, as attackers can craft malicious URLs that appear legitimate to users while containing the XSS payloads.
Mitigation strategies for CVE-2025-13604 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. System administrators should implement comprehensive monitoring of WordPress installations to identify any unauthorized modifications or suspicious URL patterns that may indicate exploitation attempts. Network-level protections such as web application firewalls can help detect and block malicious payloads, though these solutions should complement rather than replace proper input validation. The vulnerability highlights the critical importance of proper secure coding practices including input validation, output encoding, and regular security audits of third-party plugins. Organizations should also consider implementing Content Security Policy headers to limit the execution of unauthorized scripts, while maintaining regular backups to ensure rapid recovery from potential compromise scenarios. Given the persistent nature of stored XSS vulnerabilities, continuous security monitoring and prompt patch management remain essential defensive measures against this class of attack.