CVE-2025-13418 Overview
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plan_icons parameter in all versions up to, and including, 5.1.12. The vulnerability stems from insufficient input sanitization and output escaping, allowing authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts execute whenever any user accesses an injected page, potentially compromising site visitors and administrators alike.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the context of other users' sessions, potentially leading to session hijacking, credential theft, or further site compromise.
Affected Products
- Responsive Pricing Table plugin for WordPress versions up to and including 5.1.12
- WordPress sites using the affected plugin with Author-level or higher user accounts
Discovery Timeline
- 2026-01-07 - CVE CVE-2025-13418 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-13418
Vulnerability Analysis
This Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) exists in the Responsive Pricing Table plugin's handling of the plan_icons parameter. The plugin fails to properly sanitize user input and escape output when processing icon data for pricing table plans.
When an authenticated user with Author-level privileges or above submits data through the plan_icons parameter, the application does not adequately validate or sanitize the input. The stored payload is then rendered without proper output escaping when pages containing the pricing table are accessed, causing the malicious script to execute in the browser context of any visiting user.
The cross-site nature of this vulnerability means that malicious scripts can execute with the privileges of the victim user, potentially affecting administrators who view affected pages and enabling privilege escalation scenarios.
Root Cause
The root cause is twofold: insufficient input sanitization when the plan_icons parameter value is stored in the database, and inadequate output escaping when the stored data is rendered on the front-end. This allows HTML and JavaScript content to be preserved through the storage and display cycle, enabling persistent script injection.
WordPress provides built-in sanitization functions like sanitize_text_field() and escaping functions like esc_html() and esc_attr() that should be applied to user-controllable input. The vulnerable code path bypasses or inadequately implements these security controls.
Attack Vector
The attack requires network access and authenticated Author-level privileges on the target WordPress installation. An attacker would craft a malicious payload containing JavaScript code within the plan_icons parameter when creating or editing a pricing table. Once saved, the payload persists in the database and executes whenever any user—including administrators—views a page containing the compromised pricing table.
The attack does not require user interaction beyond normal page viewing, and the scope is changed (affecting users other than the attacker), enabling attacks against higher-privileged accounts.
Detection Methods for CVE-2025-13418
Indicators of Compromise
- Unexpected JavaScript or HTML content within pricing table configuration data in the WordPress database
- Unusual <script> tags or event handlers (e.g., onerror, onload) in the plan_icons field values
- Reports of suspicious browser behavior when viewing pages with pricing tables
- Unauthorized modifications to pricing table configurations by Author-level accounts
Detection Strategies
- Review WordPress database entries for the Responsive Pricing Table plugin for suspicious script content or encoded payloads
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in POST requests to plugin endpoints
- Monitor WordPress audit logs for pricing table modifications by non-administrative users
- Deploy browser-based XSS detection tools that alert on unexpected script execution
Monitoring Recommendations
- Enable detailed logging for WordPress plugin activity, particularly for content modification events
- Configure Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Implement real-time monitoring for DOM modifications and suspicious script behavior on pricing table pages
- Set up alerts for Author-level users making frequent or unusual plugin configuration changes
How to Mitigate CVE-2025-13418
Immediate Actions Required
- Update the Responsive Pricing Table plugin to a patched version if available from the WordPress Plugin Directory
- Review existing pricing table configurations for any suspicious or unexpected content in the plan_icons field
- Restrict Author-level access to only trusted users until the vulnerability is patched
- Implement Content Security Policy headers to mitigate the impact of any existing XSS payloads
Patch Information
Check the Wordfence Vulnerability Report for the latest patch status and update information. WordPress administrators should update to the latest version of the plugin as soon as a security fix is released by the vendor.
Workarounds
- Temporarily deactivate the Responsive Pricing Table plugin until a patched version is available
- Limit user account privileges by demoting untrusted Author-level users to Contributor or Subscriber roles
- Implement server-side input validation rules to strip HTML and JavaScript from pricing table fields
- Deploy a Web Application Firewall with XSS filtering capabilities to block malicious payloads at the network layer
# Example: Add Content Security Policy header in .htaccess to mitigate XSS impact
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
