CVE-2025-13627
📋 TL;DR
The Makesweat WordPress plugin has a stored XSS vulnerability in the 'makesweat_clubid' setting that allows authenticated administrators to inject malicious scripts. These scripts execute whenever users access compromised pages, potentially affecting all visitors to vulnerable WordPress sites.
💻 Affected Systems
- Makesweat WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leads to site takeover, credential theft from all visitors, or malware distribution through the compromised WordPress site.
Likely Case
Attackers with admin access inject scripts to steal session cookies, redirect users to malicious sites, or deface website content.
If Mitigated
With proper access controls and input validation, impact is limited to administrators who might accidentally execute scripts in their own sessions.
🎯 Exploit Status
Exploitation requires administrator credentials but is technically simple once access is obtained. The vulnerability is in core plugin functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://it.wordpress.org/plugins/makesweat/
Restart Required: No
Instructions:
1. Remove the Makesweat plugin from WordPress
2. Delete plugin files from /wp-content/plugins/makesweat/
3. Check for any injected scripts in database
4. Consider alternative plugins with active maintenance
🔧 Temporary Workarounds
Disable Makesweat Plugin
allDeactivate and remove the vulnerable plugin from WordPress
wp plugin deactivate makesweat
wp plugin delete makesweat
Restrict Admin Access
allImplement strict access controls and monitoring for administrator accounts
🧯 If You Can't Patch
- Implement web application firewall with XSS protection rules
- Enable Content Security Policy headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugins list for Makesweat version 0.1 or earlierCheck Version:
wp plugin list --name=makesweat --field=versionVerify Fix Applied:
Confirm Makesweat plugin is not installed or is removed from /wp-content/plugins/📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity modifying plugin settings
- Multiple requests to makesweat_clubid parameter with script-like content
Network Indicators:
- Script tags in makesweat_clubid parameter values
- Unusual outbound connections from WordPress admin pages
SIEM Query:
source="wordpress" AND (uri="*makesweat_clubid*" AND data="*script*" OR data="*javascript:*")🔗 References
- https://it.wordpress.org/plugins/makesweat/
- https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L64
- https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L85
- https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L64
- https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L85
- https://www.wordfence.com/threat-intel/vulnerabilities/id/88dec08d-cb27-4ea8-853e-0c12dd0a6ab6?source=cve
