CVE-2025-13701 in Shabat Keeper Plugin
Summary
by MITRE • 01/09/2026
The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2026
The Shabat Keeper plugin for WordPress represents a critical security vulnerability classified as CVE-2025-13701, which manifests as a reflected cross-site scripting flaw in versions up to and including 0.4.4. This vulnerability specifically targets the $_SERVER['PHP_SELF'] parameter, exposing the plugin to malicious injection attacks that can compromise user sessions and execute unauthorized code within the context of a victim's browser. The flaw exists due to inadequate input sanitization measures and insufficient output escaping mechanisms within the plugin's codebase, creating an exploitable entry point for attackers who can manipulate server variables to inject malicious scripts.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious URL containing script code within the PHP_SELF parameter, which is then reflected back to the user's browser without proper sanitization. This reflected XSS vulnerability operates at the application layer and can be leveraged by unauthenticated attackers to execute arbitrary JavaScript code in the context of a victim's browsing session. The attack vector requires social engineering to convince users to click on malicious links, but once executed, the malicious scripts can perform actions such as stealing session cookies, defacing web pages, or redirecting users to malicious sites. The vulnerability directly aligns with CWE-79, which defines Cross-Site Scripting as a weakness where applications fail to properly escape output, and can be mapped to ATT&CK technique T1059.007 for script execution through web applications.
The operational impact of CVE-2025-13701 extends beyond simple script injection, potentially allowing attackers to escalate privileges and compromise entire WordPress installations. When users visit maliciously crafted URLs, their browsers execute the injected scripts, which can steal authentication tokens, modify content, or redirect users to phishing sites. The vulnerability affects all versions of the Shabat Keeper plugin up to 0.4.4, making it particularly concerning for WordPress administrators who may have deployed the plugin without proper security updates. This vulnerability can be exploited to perform session hijacking attacks, where attackers can impersonate legitimate users and gain unauthorized access to administrative functions or personal data. The reflected nature of the vulnerability means that the malicious code is not stored on the server but is instead injected through the request parameters, making detection more challenging for security monitoring systems.
Mitigation strategies for CVE-2025-13701 should prioritize immediate patching of the Shabat Keeper plugin to version 0.4.5 or later, which contains the necessary input sanitization and output escaping fixes. System administrators should implement comprehensive input validation measures that sanitize all user-supplied data before processing, particularly focusing on server variables like $_SERVER['PHP_SELF']. Additionally, proper output escaping should be implemented using WordPress's built-in escaping functions such as esc_html(), esc_attr(), and esc_url() to prevent script execution in output contexts. Network-based security controls should include web application firewalls that can detect and block malicious payloads targeting this specific vulnerability. Regular security audits and vulnerability assessments should be conducted to identify similar weaknesses in other plugins and themes, while automated scanning tools should be deployed to monitor for reflected XSS vulnerabilities across the entire WordPress installation. Organizations should also implement security awareness training for users to recognize potentially malicious links and understand the importance of not clicking on untrusted URLs. The remediation process should include monitoring for any signs of exploitation attempts and maintaining detailed logs of access patterns to detect anomalous behavior that may indicate successful exploitation of the vulnerability.