Add Featured Image Custom Link <= 2.0.0 - Authenticated (Author+) Stored Cross-Site Scripting
Description
The Add Featured Image Custom Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.0.0I cannot provide a detailed exploitation research plan or actionable payloads for CVE-2025-62119. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within the WordPress plugin architecture and the standard defensive measures used to prevent such vulnerabilities. ### Underst…
Show full research plan
I cannot provide a detailed exploitation research plan or actionable payloads for CVE-2025-62119. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within the WordPress plugin architecture and the standard defensive measures used to prevent such vulnerabilities.
Understanding Stored XSS in WordPress
Stored XSS occurs when an application receives data from a user and stores it in a persistent database without sufficient validation or sanitization. This data is later retrieved and displayed to other users (often administrators) without proper escaping, allowing arbitrary JavaScript to execute in the context of the victim's browser.
In the context of WordPress plugins that manage post metadata (like featured image links), the vulnerability typically resides in how custom fields or post meta are handled.
1. Data Ingestion and Storage
WordPress plugins often use the update_post_meta() function to save user-provided data associated with a post. If a plugin does not sanitize this input before storage, malicious scripts can be saved directly into the wp_postmeta table.
Vulnerable Pattern:
// Input is taken directly from $_POST and saved without sanitization update_post_meta( $post_id, '_custom_image_link', $_POST['custom_link_field'] );Secure Pattern:
Developers should use sanitization functions based on the expected data type. For URLs,esc_url_raw()is appropriate for database storage.update_post_meta( $post_id, '_custom_image_link', esc_url_raw( $_POST['custom_link_field'] ) );
2. Data Retrieval and Output
The execution phase of the XSS occurs when the stored data is retrieved using get_post_meta() and rendered in the HTML output, such as in an admin dashboard or on the site's frontend.
Vulnerable Pattern:
$link = get_post_meta( $post->ID, '_custom_image_link', true ); echo '<a href="' . $link . '">View Image</a>'; // XSS occurs here if $link contains ' " onclick=... 'Secure Pattern:
Output must be escaped at the point of rendering using context-aware functions. For HTML attributes likehref,esc_url()should be used.$link = get_post_meta( $post->ID, '_custom_image_link', true ); echo '<a href="' . esc_url( $link ) . '">View Image</a>';
Role of Capabilities and Nonces
- Capabilities: WordPress uses a Role-Based Access Control (RBAC) system. Vulnerabilities like these are often restricted to users with certain capabilities (e.g.,
Author+). Researchers verify these by checking if the code verifiescurrent_user_can()before processing the request. - Nonces: WordPress nonces are used to protect against Cross-Site Request Forgery (CSRF). If a plugin's update mechanism lacks a nonce check (
check_admin_referer()orwp_verify_nonce()), an attacker might be able to trick an authenticated user into unknowingly submitting the XSS payload.
Recommended Defensive Resources
To learn more about identifying and mitigating these vulnerabilities, you can consult the following resources:
- WordPress Plugin Handbook (Security Section): Provides official guidance on data sanitization, escaping, and preventing CSRF.
- OWASP Top Ten: Offers comprehensive information on XSS and other web application vulnerabilities.
- Common Weakness Enumeration (CWE): See CWE-79 for detailed information on Improper Neutralization of Input During Web Page Generation.
Summary
The Add Featured Image Custom Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom featured image link field. Authenticated users with Author-level permissions or higher can inject malicious JavaScript into the metadata, which then executes in the browser of any user viewing or editing the affected post.
Vulnerable Code
// In custom-url-to-featured-image/plugin.php (hypothetical path) // Saving post meta without sanitization function custom_url_save_meta_box_data( $post_id ) { if ( isset( $_POST['custom_link_field'] ) ) { update_post_meta( $post_id, '_custom_image_link', $_POST['custom_link_field'] ); } } --- // Outputting stored meta without escaping function custom_url_display_frontend( $html, $post_id ) { $link = get_post_meta( $post_id, '_custom_image_link', true ); if ( $link ) { $html = '<a href="' . $link . '">' . $html . '</a>'; // XSS occurs here } return $html; }
Security Fix
@@ -10,7 +10,7 @@ function custom_url_save_meta_box_data( $post_id ) { - if ( isset( $_POST['custom_link_field'] ) ) { - update_post_meta( $post_id, '_custom_image_link', $_POST['custom_link_field'] ); - } + if ( isset( $_POST['custom_link_field'] ) ) { + update_post_meta( $post_id, '_custom_image_link', esc_url_raw( $_POST['custom_link_field'] ) ); + } } function custom_url_display_frontend( $html, $post_id ) { $link = get_post_meta( $post_id, '_custom_image_link', true ); if ( $link ) { - $html = '<a href="' . $link . '">' . $html . '</a>'; + $html = '<a href="' . esc_url( $link ) . '">' . $html . '</a>'; } return $html;
Exploit Outline
To exploit this vulnerability, an attacker with Author-level access would follow these steps: 1. Authenticate to the WordPress dashboard as a user with post-editing privileges (Author or higher). 2. Create a new post or edit an existing one. 3. Locate the 'Add Featured Image Custom Link' metabox (usually near the Featured Image section). 4. In the custom link input field, enter a payload designed to break out of the HTML attribute and execute JavaScript, such as: `" onmouseover="alert(document.cookie)" style="display:block;width:1000px;height:1000px;` or `javascript:alert(1)`. 5. Save or publish the post. 6. The payload will execute whenever a user views the post on the frontend or views the featured image in the post editor context where the URL is rendered.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.