CVE-2025-13676
📋 TL;DR
The JustClick registration plugin for WordPress has a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts via the PHP_SELF server variable. When a user clicks a specially crafted link, the attacker can execute arbitrary JavaScript in the victim's browser context. All WordPress sites using JustClick plugin versions 0.1 and earlier are affected.
💻 Affected Systems
- JustClick Subscriber WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as the victim user, redirect to malicious sites, or install malware through the victim's browser.
Likely Case
Attackers will typically use this to steal WordPress admin session cookies, potentially gaining administrative access to the WordPress site.
If Mitigated
With proper Content Security Policy headers and modern browser XSS protections, the impact is limited to the specific page where the vulnerability exists.
🎯 Exploit Status
The vulnerability is simple to exploit - attackers only need to craft a malicious URL and trick users into clicking it. No authentication or special privileges required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://plugins.trac.wordpress.org/browser/justclick-subscriber/
Restart Required: No
Instructions:
1. Remove the JustClick plugin from your WordPress installation. 2. Delete the plugin files from /wp-content/plugins/justclick-subscriber/. 3. Consider alternative registration plugins that are actively maintained.
🔧 Temporary Workarounds
Input Sanitization Filter
allAdd custom PHP code to sanitize PHP_SELF variable before use
Add to theme's functions.php or custom plugin: add_filter('wp_redirect', function($location) { return esc_url($location); });
Content Security Policy
allImplement strict CSP headers to prevent script execution
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https:;"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https:");
🧯 If You Can't Patch
- Disable the JustClick plugin immediately via WordPress admin panel
- Implement web application firewall (WAF) rules to block malicious PHP_SELF parameter patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins page for JustClick Subscriber plugin. If installed and version is 0.1 or earlier, you are vulnerable.Check Version:
wp plugin list --name=justclick-subscriber --field=version (if WP-CLI installed) or check plugin details in WordPress adminVerify Fix Applied:
Verify the plugin is removed by checking /wp-content/plugins/ directory for justclick-subscriber folder and confirming it's not listed in WordPress plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual long URLs with script tags in access logs
- Multiple 404 errors for JustClick plugin paths
- Referrer URLs containing JavaScript payloads
Network Indicators:
- HTTP requests with JavaScript in PHP_SELF parameter
- Unusual redirects from JustClick plugin pages
SIEM Query:
source="web_access_logs" AND (uri="*justclick*" AND (uri="*<script*" OR uri="*javascript:*" OR uri="*onload=*"))