Description
The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-14
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Update
AI Analysis

Impact

The Makesweat plugin for WordPress suffers a stored cross‑site scripting flaw that allows an authenticated user with administrator privileges, or higher, to inject arbitrary JavaScript into the 'makesweat_clubid' configuration setting. The input is neither sanitized nor escaped before being stored, meaning that any user who later views a page containing the affected setting will execute the injected script. Because the script runs in the context of the visitor, attackers can steal session cookies, deface the site, or perform phishing. The vulnerability does not provide remote code execution on the server, but it can undermine the confidentiality and integrity of site users and compromise the trust relationship with the site.

Affected Systems

It affects the Makesweat WordPress plugin, versions up to and including 0.1. The vulnerability exists in all builds up to that version, and users of the 0.1 release or older are susceptible. No later versions have been explicitly listed as affected, but verification is recommended.

Risk and Exploitability

The CVSS score of 4.4 indicates a low severity, and the EPSS score of <1 % reflects a very low probability of real‑world exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers must first authenticate as an administrator or higher, which limits the attack surface to privileged accounts. The stored nature of the flaw means the malicious payload only activates when users view the compromised page, so opportunistic exploitation requires an attacker to have both administrative access and a victim viewing the page.

Generated by OpenCVE AI on April 21, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Makesweat plugin to the latest version that removes the unauthenticated handling of the 'makesweat_clubid' field or provides proper sanitization.
  • Restrict administrator‑level access to the plugin settings by tightening WordPress role capabilities or using two‑factor authentication for administrator accounts.
  • If an immediate upgrade cannot be performed, manually edit the affected setting to remove any potential script injection or add output escaping to the plugin code (e.g., wrapper functions that call esc_html or esc_js when rendering the setting), keeping in mind that this is a code‑level workaround rather than an official fix.

Generated by OpenCVE AI on April 21, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Makesweat <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:20.676Z

Reserved: 2025-11-24T21:18:48.758Z

Link: CVE-2025-13627

cve-icon Vulnrichment

Updated: 2026-01-14T15:44:29.325Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:51.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses