CVE-2025-13895

6.1 MEDIUM

Cross-Site Scripting

📋 TL;DR

The Top Position Google Finance WordPress plugin has a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via crafted URLs. All WordPress sites using this plugin version 0.1.0 or earlier are affected. Attackers can steal session cookies, redirect users, or perform actions on their behalf by tricking them into clicking malicious links.

💻 Affected Systems

Products:

• Top Position Google Finance WordPress Plugin

Versions: All versions up to and including 0.1.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with this plugin enabled are vulnerable regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, deface website, or steal sensitive data.

🟠

Likely Case

Attackers steal user session cookies, redirect users to phishing sites, or perform limited actions within the user's current session context.

🟢

If Mitigated

Script execution is blocked by modern browser XSS protections or Content Security Policy, limiting impact to basic script injection attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS via $_SERVER['PHP_SELF'] is a well-known attack vector requiring only a crafted URL. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbf81f8-8b33-4b83-91fb-626b7b5f3bb2

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Locate 'Top Position Google Finance'
4. Click 'Deactivate' then 'Delete'
5. Remove plugin files completely from /wp-content/plugins/top-position-google-finance/

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to block inline script execution and restrict script sources

Copy

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");

Web Application Firewall Rules

all

Block requests containing malicious script patterns in URLs

Copy

ModSecurity rule: SecRule ARGS "<script" "id:1001,phase:2,deny,status:403,msg:'XSS Attack Detected'"
Cloudflare WAF: Enable XSS protection rules

🧯 If You Can't Patch

• Disable or remove the Top Position Google Finance plugin immediately
• Implement strict Content Security Policy headers to mitigate script execution

🔍 How to Verify

Check if Vulnerable:

Copy

Check if /wp-content/plugins/top-position-google-finance/ directory exists and contains version 0.1.0 or earlier files

Check Version:

Copy

grep -r "Version:" /wp-content/plugins/top-position-google-finance/top-position-google-finance.php

Verify Fix Applied:

Copy

Confirm plugin directory is completely removed from /wp-content/plugins/

📡 Detection & Monitoring

Log Indicators:

• URLs containing <script> tags or JavaScript in query parameters
• Multiple 404 errors for plugin-specific paths
• Unusual referrer headers containing script payloads

Network Indicators:

• HTTP requests with script tags in URL parameters
• Outbound connections to suspicious domains following plugin page visits

SIEM Query:

Copy

source="web_logs" AND (url="*<script*" OR url="*javascript:*" OR url="*onload=*" OR url="*onerror=*") AND url="*/wp-content/plugins/top-position-google-finance/*"

📊 Metadata

CVE ID: CVE-2025-13895

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.13% exploit probability (32.5th percentile)

Published: January 9, 2026

Last Updated: January 13, 2026

🔗 References

• https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L56
• https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L78
• https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbf81f8-8b33-4b83-91fb-626b7b5f3bb2?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13895, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)

CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)

CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)