CVE-2025-13989 in WP Dropzone Plugin
Summary
by MITRE • 12/12/2025
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as JavaScript code via the `new Function()` constructor. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/12/2025
The vulnerability identified as CVE-2025-13989 affects the WP Dropzone plugin for WordPress, representing a critical stored cross-site scripting flaw that has significant implications for website security. This vulnerability exists in all versions up to and including 1.1.1, making it a widespread concern for WordPress administrators who have not yet updated their installations. The flaw specifically targets the 'callback' shortcode attribute, which serves as an entry point for malicious code injection through improperly sanitized user input.
The technical implementation of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's codebase. When users provide a 'callback' attribute through the shortcode, the plugin fails to properly sanitize this input before processing it. Instead of treating the input as a simple parameter, the code evaluates it as JavaScript code using the dangerous `new Function()` constructor, which effectively transforms user-supplied data into executable code. This pattern directly violates security best practices and creates a pathway for arbitrary code execution within the context of the victim's browser session.
The operational impact of this vulnerability is particularly concerning given that it requires only Contributor-level access or higher to exploit, which is a relatively low privilege level in WordPress security architecture. This means that attackers who have gained access to a user account with contributor privileges or higher can inject malicious scripts that will execute whenever any user accesses a page containing the vulnerable shortcode. The stored nature of this XSS vulnerability means that the malicious code persists on the server and affects all users who view affected pages, creating a persistent threat vector that can be leveraged for various malicious activities including session hijacking, credential theft, or redirection to malicious sites.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a classic example of how insufficient input validation can lead to arbitrary code execution. The ATT&CK framework categorizes this as a form of code injection, specifically falling under the T1059.007 technique for JavaScript-based execution. The vulnerability also demonstrates poor security hygiene in input sanitization, which is a fundamental principle of secure coding practices and is referenced in multiple security standards including OWASP Top Ten and NIST cybersecurity guidelines. The use of the `new Function()` constructor for evaluating user input represents a particularly dangerous pattern that should be avoided in secure application development.
Organizations affected by this vulnerability should immediately implement mitigation strategies including updating to the latest version of the WP Dropzone plugin where available, implementing additional input validation measures, and monitoring for suspicious shortcode usage. Administrators should also consider implementing content security policies to limit the execution of inline scripts and conduct thorough security audits of all installed plugins to identify similar vulnerabilities. The vulnerability underscores the critical importance of regular security updates and proper input sanitization in web applications, particularly those that handle user-generated content or shortcode parameters that can be executed as code.