CVE-2025-13971 in TWW Protein Calculator Plugin
Summary
by MITRE • 12/12/2025
The TWW Protein Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Header' setting in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/12/2025
The TWW Protein Calculator plugin for WordPress presents a significant security vulnerability classified as stored cross-site scripting that affects versions up to and including 1.0.24. This vulnerability resides within the plugin's 'Header' setting functionality and represents a critical flaw in the software's input validation and output sanitization mechanisms. The issue specifically targets multi-site WordPress installations where the unfiltered_html capability has been disabled, creating an exploitable condition that allows authenticated administrators to inject malicious scripts into the plugin's configuration parameters. The vulnerability demonstrates a clear failure in proper data sanitization practices, where user-supplied input from the Header setting is not adequately filtered before being stored in the database and subsequently rendered in web pages without proper HTML escaping.
The technical exploitation of this vulnerability occurs through a stored XSS vector where an attacker with administrator privileges can insert malicious JavaScript code into the Header setting field. When the affected plugin renders this stored content in subsequent page requests, the injected script executes in the context of other users' browsers who access pages containing the malicious content. This creates a persistent threat that can affect any user who views pages where the compromised header content is displayed. The vulnerability's impact is amplified in multi-site environments where the attack can potentially affect multiple sites within the network, and the restriction on unfiltered_html adds complexity to the exploitation conditions while still maintaining the security risk.
From an operational perspective, this vulnerability creates a severe risk for WordPress administrators who may not be aware of the specific conditions under which the attack can occur. The requirement for administrator-level access means that the vulnerability typically represents an insider threat or a compromised administrative account rather than an external attack vector. However, the potential for privilege escalation and persistent malicious code execution makes this particularly dangerous in environments where administrative credentials might be compromised. The vulnerability affects not only the specific plugin functionality but also represents a broader failure in WordPress plugin security practices, highlighting the importance of proper input validation and output escaping in all user-facing configuration parameters.
The security implications of this vulnerability align with CWE-79, which describes cross-site scripting flaws in web applications, and can be mapped to ATT&CK technique T1548.001 for privilege escalation through the use of administrative credentials to inject malicious code. Organizations should implement immediate mitigations including updating to the latest plugin version if available, restricting administrator privileges where possible, and monitoring for unauthorized configuration changes. The vulnerability also underscores the importance of the principle of least privilege and proper input validation in web application security, as the issue could have been prevented through proper sanitization of user input and appropriate output escaping mechanisms. Additionally, this vulnerability demonstrates the critical need for WordPress plugin developers to adhere to security best practices and maintain regular security updates to protect against known attack vectors.