CVE-2025-13456
Shopbuilder < 3.2.2 - Reflected XSSThe ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
We have discovered 396 live websites that are affected by CVE-2025-13456.
Affected Software
| Product |  Shopbuilder |
| Category | Wordpress Plugins |
| Vulnerable Domains | 396 live websites (86% of Shopbuilder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 32 versions ( 94% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Jan 2, 2026
- Updated - Jan 2, 2026
Credits
- Gregory Allegoet (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-13456 United States | 108 websites |
 India | 32 websites |
 GB | 20 websites |
 Cyprus | 20 websites |
 Italy | 17 websites |
 France | 14 websites |
 Germany | 13 websites |
 Turkey | 10 websites |
 Poland | 10 websites |
 Netherlands | 10 websites |
Website Distribution by TLD
Number of websites using CVE-2025-13456| .com | 183 websites |
| .it | 11 websites |
| .co.uk | 11 websites |
| .org | 11 websites |
| .pl | 10 websites |
| .com.br | 8 websites |
| .nl | 8 websites |
| .com.au | 7 websites |
| .ca | 5 websites |
| .fr | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-13456
Top websites that are affected by CVE-2025-13456. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.stream | United States | *,***,*** | |
| *******.pl | Poland | *,***,*** | |
| ********************.nl | Netherlands | *,***,*** | |
| ****************.pl | Poland | *,***,*** | |
| ***************.**.uk | GB | *,***,*** | |
| ********.se |  Sweden | *,***,*** | |
| ************.com | Italy | *,***,*** | |
| *******.com | GB | *,***,*** | |
| ***************.com | United States | *,***,*** | |
| *****.pl | Poland | *,***,*** |
FAQ
CVE-2025-13456 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Shopbuilder
A total of 396 websites have been identified as vulnerable to CVE-2025-13456, based on global website indexing conducted by WebTechSurvey.
The Shopbuilder is affected by the CVE-2025-13456 vulnerability.
Shopbuilder versions up to 3.2.2 are vulnerable to CVE-2025-13456.
CVE-2025-13456 is resolved in version 3.2.2 of Shopbuilder.