CVE-2025-13308

Name of the Vulnerable Software and Affected Versions WordPress Application Passwords plugin versions up to and including 0.1.3

Description The Application Passwords plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping of user-supplied URLs. Specifically, the reject url parameter is vulnerable. This allows attackers to embed javascript: URI schemes within the reject url parameter. Successful exploitation requires tricking a user into clicking a malicious link, which then executes arbitrary web scripts when the user clicks the "No, I do not approve of this connection" button. The API endpoint involved is not explicitly mentioned. The vulnerable parameter is reject url.

Recommendations Update WordPress Application Passwords plugin to a version later than 0.1.3.