CVE-2025-13993 – The MailerLite WordPress plugin is vulnerable t... (How to Fix)

Q: What is the severity of CVE-2025-13993?

CVE-2025-13993 has a CVSS score of 5.5 (MEDIUM). The MailerLite WordPress plugin is vulnerable to stored cross-site scripting (XSS) in versions up to 1.7.16. Authenticated attackers with administrator privileges can inject malicious scripts into form descriptions and success messages, which execute when users view affected pages. This affects WordPress sites using the vulnerable plugin.

📋 TL;DR

The MailerLite WordPress plugin is vulnerable to stored cross-site scripting (XSS) in versions up to 1.7.16. Authenticated attackers with administrator privileges can inject malicious scripts into form descriptions and success messages, which execute when users view affected pages. This affects WordPress sites using the vulnerable plugin.

💻 Affected Systems

Products:

MailerLite – Signup forms (official) WordPress plugin

Versions: Up to and including 1.7.16

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin enabled. Attack requires administrator-level authentication.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with compromised admin credentials could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Malicious administrators or attackers who gain admin access inject tracking scripts, deface forms, or steal limited user data through client-side attacks.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability is prevented, and even if exploited, impact is limited by same-origin policy and user awareness.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access but is technically simple once authenticated. The vulnerability is in publicly accessible code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.17 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3416100/official-mailerlite-sign-up-forms/trunk/src/Controllers/AdminController.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'MailerLite – Signup forms (official)' and click 'Update Now'. 4. Verify the plugin version is 1.7.17 or higher.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the MailerLite plugin until patched

wp plugin deactivate official-mailerlite-sign-up-forms

Restrict admin access

all

Implement strict access controls and monitoring for administrator accounts

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in form parameters
Apply principle of least privilege: review and reduce administrator accounts to only essential personnel

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for MailerLite plugin version. If version is 1.7.16 or lower, you are vulnerable.

Check Version:

wp plugin get official-mailerlite-sign-up-forms --field=version

Verify Fix Applied:

After updating, verify the plugin version shows 1.7.17 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual admin account activity
POST requests to admin-ajax.php with script tags in form_description or success_message parameters

Network Indicators:

Unexpected script tags in form content served to users

SIEM Query:

source="wordpress.log" AND ("form_description" OR "success_message") AND ("<script" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-13993

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (14.6th percentile)

Published: December 12, 2025

Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13993, you might also want to check these: