## https://sploitus.com/exploit?id=95EFD3E2-CB2E-586B-BA2F-0DDE213012DA
# CVE-2025-14893: Authenticated Stored Cross-Site Scripting (XSS) in IndieWeb WordPress Plugin
> **Disclaimer:** This repository is created for **educational purposes and ethical disclosure only**. The vulnerability has been responsibly reported to the vendor and patched. Do not use this information to exploit systems without proper authorization.
## Executive Summary
A **Stored Cross-Site Scripting (XSS)** vulnerability was discovered in the **IndieWeb** plugin for WordPress (versions get( 'tel' ); ?>">get( 'tel' ); ?>
```
**The Flaw:**
The plugin directly outputs the user's `tel` metadata inside the `href` HTML attribute using `echo` without wrapping it in `esc_attr()`. This allows an attacker to supply a crafted string that includes a double-quote (`"`) to prematurely close the `href` attribute, followed by arbitrary HTML attributes (such as `style` or `onclick`).
## Business Impact
* **Account Takeover (ATO):** If an Administrator interacts with the manipulated element, the attacker's JavaScript can steal session cookies or execute administrative AJAX requests, granting the attacker full control over the WordPress site.
* **Reputation Damage:** The attacker can modify the visible elements of the page (defacement) or redirect legitimate visitors to malicious third-party websites.
## Proof of Concept (PoC)
### Prerequisites
1. WordPress installed with IndieWeb `get( 'tel' ) ); ?>">get( 'tel' ) ); ?>
```
## Timeline
* **Date (2026-03-03):** Reported to Wordfence.
* **Date (2026-03-20):** Vulnerability patched / Public disclosure.
## References & Credits
* [Wordfence Vulnerability Database](https://www.wordfence.com/threat-intel/vulnerabilities/id/b29f0fea-a2db-4b2e-b7b8-d15b2395e9e6)
* [CVE-2025-14893 on NVD](https://vulners.com/cve/CVE-2025-14893)
* [IndieWeb Plugin on WordPress.org](https://wordpress.org/plugins/indieweb/)