CVE-2025-13624
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts via the PHP_SELF parameter in the Overstock Affiliate Links WordPress plugin. When users click specially crafted links, their browsers execute attacker-controlled JavaScript, potentially stealing session cookies or performing actions on their behalf. All WordPress sites using this plugin version 1.1 or earlier are affected.
💻 Affected Systems
- Overstock Affiliate Links WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain administrative access to WordPress, install backdoors, deface websites, or pivot to internal network systems.
Likely Case
Attackers steal user session cookies to hijack accounts, redirect users to malicious sites, or display phishing forms to steal credentials.
If Mitigated
With proper web application firewalls and content security policies, malicious scripts are blocked before execution, limiting impact to failed attack attempts.
🎯 Exploit Status
Exploitation requires tricking users into clicking malicious links. The vulnerability is in publicly accessible code with clear proof-of-concept references available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check WordPress plugin repository for updates beyond 1.1
Vendor Advisory: https://wordpress.org/plugins/overstock-affiliate-links/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Overstock Affiliate Links'. 4. Click 'Update Now' if available. 5. If no update is available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing script tags or malicious patterns in the PHP_SELF parameter
WAF-specific configuration required
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to .htaccess or web server configuration
🧯 If You Can't Patch
- Deactivate the Overstock Affiliate Links plugin immediately
- Implement network-level filtering to block requests with suspicious PHP_SELF parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Overstock Affiliate Links' version 1.1 or earlierCheck Version:
wp plugin list --name='overstock-affiliate-links' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin is either updated to version beyond 1.1 or completely removed from the plugins directory📡 Detection & Monitoring
Log Indicators:
- HTTP requests with script tags or JavaScript in PHP_SELF parameter
- Multiple 404 errors for sandbox_page.php with suspicious parameters
Network Indicators:
- Outbound connections to suspicious domains following visits to pages with PHP_SELF parameters
- Unusual traffic patterns to plugin-specific endpoints
SIEM Query:
source="web_logs" AND uri="*sandbox_page.php*" AND (param="*<script>*" OR param="*javascript:*")🔗 References
- https://plugins.trac.wordpress.org/browser/overstock-affiliate-links/tags/1.1/sandbox_page.php#L18
- https://plugins.trac.wordpress.org/browser/overstock-affiliate-links/trunk/sandbox_page.php#L18
- https://wordpress.org/plugins/overstock-affiliate-links/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c06207da-d15d-4540-84be-218fa9055fd5?source=cve
