CVE-2025-15000 – The Page Keys WordPress plugin has a stored cro... (How to Fix)

📋 TL;DR

The Page Keys WordPress plugin has a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into pages. These scripts execute when users view the compromised pages. Only WordPress multi-site installations and installations with unfiltered_html disabled are affected.

💻 Affected Systems

Products:

WordPress Page Keys plugin

Versions: All versions up to and including 1.3.3

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects WordPress multi-site installations and installations where unfiltered_html capability is disabled

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to site takeover, data theft, or malware distribution to visitors

🟠

Likely Case

Session hijacking, credential theft, or defacement of affected pages

🟢

If Mitigated

Limited impact due to requiring admin privileges and specific WordPress configurations

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires administrator-level access to WordPress

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/page-keys/tags/1.3.4/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Page Keys plugin
4. Click 'Update Now' if available
5. Or download version 1.3.4+ from WordPress repository
6. Upload and replace existing plugin files

🔧 Temporary Workarounds

Disable unfiltered_html restriction

all

Enable unfiltered_html capability for administrators to bypass the vulnerability condition

Add to wp-config.php: define('DISALLOW_UNFILTERED_HTML', false);

Remove plugin

linux

Temporarily deactivate and remove the vulnerable plugin

wp plugin deactivate page-keys
wp plugin delete page-keys

🧯 If You Can't Patch

Restrict administrator account access to trusted personnel only
Implement web application firewall rules to block XSS payloads in page_key parameter

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Page Keys → Version. If version is 1.3.3 or lower, you are vulnerable

Check Version:

wp plugin get page-keys --field=version

Verify Fix Applied:

Verify Page Keys plugin version is 1.3.4 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity modifying page keys
POST requests to page-key endpoints with script tags

Network Indicators:

HTTP requests containing script payloads in page_key parameter

SIEM Query:

source="wordpress.log" AND "page_key" AND ("<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-15000

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: January 7, 2026

Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15000, you might also want to check these: