WWordPress Vulnerability Database

Community Alert Cross Site Scripting in Kadence(CVE202513387)

Cross Site Scripting (XSS) in WordPress Kadence WooCommerce Email Designer Plugin
0
Shares
0
0
0
0






Urgent: Unauthenticated Stored XSS in Kadence WooCommerce Email Designer (<= 1.5.17) — What Site Owners Must Do Now


Plugin Name Kadence WooCommerce Email Designer
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-13387
Urgency Medium
CVE Publish Date 2025-12-02
Source URL CVE-2025-13387

Urgent: Unauthenticated Stored XSS in Kadence WooCommerce Email Designer (≤ 1.5.17) — What Site Owners Must Do Now

Summary: A recently disclosed unauthenticated stored Cross‑Site Scripting (XSS) vulnerability affects Kadence WooCommerce Email Designer versions up to and including 1.5.17. An unauthenticated attacker can submit and persist malicious HTML/JavaScript into the plugin’s data stores so the payload executes later when relevant pages or admin screens are viewed. The issue is fixed in 1.5.18. The vulnerability carries a CVSS-like score around 7.1 and should be treated as medium/high risk for affected stores. If you run WooCommerce and use this plugin, act immediately.

As a Hong Kong security expert, I present pragmatic, technical guidance below: what this vulnerability means, how it may be exploited, indicators of compromise, immediate mitigation steps, and longer-term hardening to reduce future risk.

Quick checklist — immediate actions (do these right away)

  1. Confirm the plugin version on your site. If Kadence WooCommerce Email Designer is installed and at version ≤ 1.5.17, proceed.
  2. If possible, update the plugin to 1.5.18 immediately.
  3. If you cannot update immediately:
    • Temporarily deactivate the plugin.
    • Restrict access to any endpoints or interfaces the plugin exposes (see mitigation below).
    • Apply WAF rules or server-level request filtering to block stored XSS payloads and suspicious POST activity.
  4. Scan your site for indicators of compromise — stored HTML/JS in templates, unexpected admin notices, suspicious scheduled tasks, and unfamiliar admin users.
  5. Rotate passwords for administrator accounts and any SMTP/API credentials that may have been exposed via stored payloads.
  6. Monitor logs and incoming traffic for exploitation patterns.

What exactly happened? Technical background

This is a stored (persistent) XSS vulnerability that can be exploited without authentication. In stored XSS an attacker supplies malicious HTML or JavaScript into a data store (database, options table, post content, plugin settings, etc.), and the application later outputs that content into pages or admin screens without proper escaping or filtering. Because the payload is persistent, the attacker does not need to be present when the code executes — the malicious script runs when an administrator or site visitor views the affected content.

Key facts:

  • Affected plugin: Kadence WooCommerce Email Designer
  • Vulnerable: versions ≤ 1.5.17
  • Fixed: 1.5.18
  • Privilege: unauthenticated (no login required)
  • Classification: Stored Cross‑Site Scripting (XSS)
  • Risk: Medium (CVSS ~7.1) but practically dangerous because it is unauthenticated and persistent
  • Typical entry points: template editors, email designer UI, endpoints that accept HTML for email templates or previews

Why this is dangerous:

  • Code executing in visitors’ or administrators’ browsers can steal cookies, session tokens, or perform actions on behalf of logged-in admins.
  • Email template XSS can execute when an admin preview or an emailed HTML content containing script is rendered in a web-based viewer — a vector for targeting both admins and customers.
  • An unauthenticated attacker can plant persistent payloads that remain until removed, enabling ongoing exploitation.

Real‑world attack scenarios

  • An attacker submits an email template containing JavaScript. When an admin or shop manager opens the email template editor, the script runs and exfiltrates cookies or triggers privileged actions (e.g., creating a new admin) via the admin interface.
  • A malicious payload injects a redirect or iframe into customer-facing email content or order confirmation pages, guiding customers to phishing pages.
  • The stored script chains to other vulnerabilities or misuses administrative workflows to modify files, add backdoor users, or change payment/checkout forms.
  • Attackers use stored XSS to install client-side cryptomining, ad injections, or tampered checkout forms that capture payment data.

Because the vulnerability is unauthenticated, automated scanners and opportunistic attackers can weaponise it quickly.

Indicators of compromise (what to look for)

If you used the plugin and haven’t updated, check for:

  • Unexpected JavaScript snippets stored in:
    • Email templates or email preview HTML
    • Plugin-specific options (wp_options entries)
    • Custom post types used by the plugin
  • Unfamiliar admin users or unexpected role changes
  • Anonymous POST requests to plugin endpoints in access logs
  • Admin interface behaving oddly — unexpected redirects, popups, or JS execution when opening the email editor
  • Malicious-looking HTML in outgoing transactional emails (order confirmations, receipts)
  • New scheduled tasks (wp-cron) or unexpected modifications to plugin/theme files
  • Suspicious outbound network activity from the site (requests to unknown hosts)

Logs to review:

  • Web server access logs for POSTs to plugin URLs
  • WordPress debug.log (if enabled)
  • Database content for recently modified rows in wp_options, wp_posts, and plugin-specific tables
  • Email logs for HTML content that contains

    Review My Order

    0

    Subtotal

    Taxes & shipping calculated at checkout

    Checkout