WP-Safety
CVE-2025-68848

amr cron manager <= 2.3 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The amr cron manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.3
PublishedJanuary 23, 2026
Last updatedJanuary 27, 2026
Affected pluginamr-cron-manager
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68848 (amr cron manager) ## 1. Vulnerability Summary The **amr cron manager** plugin (versions <= 2.3) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists because the plugin fails to perform capability checks or nonce …

Show full research plan

Exploitation Research Plan - CVE-2025-68848 (amr cron manager)

1. Vulnerability Summary

The amr cron manager plugin (versions <= 2.3) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists because the plugin fails to perform capability checks or nonce verification on certain administrative actions processed during initialization (likely via init or admin_init hooks). Furthermore, input provided by users is stored in the database (likely in the wp_options table or a cron-related metadata field) and subsequently rendered in the plugin's administration dashboard without adequate sanitization or output escaping.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-post.php or the site root index.php.
  • Vulnerable Action: An action triggered via $_REQUEST parameters, potentially amr_cron_manage_action or a direct settings update (inferred).
  • Payload Parameter: Likely a parameter intended for a cron hook name, arguments, or a plugin setting (e.g., amr_cron_name, hook, or a specific option field).
  • Authentication: Unauthenticated. The vulnerability exploits the fact that admin_init hooks run on administrative entry points even for unauthenticated users, and the plugin lacks current_user_can() checks.
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a request to /wp-admin/admin-post.php with a specific action.
  2. Hook Execution: WordPress triggers the admin_init hook. The plugin's handler (e.g., amr_cron_manager_init) executes.
  3. Missing Check: The handler checks for a parameter like $_REQUEST['action'] == 'save' or $_REQUEST['amr_cron_add_hook'] but fails to call current_user_can('manage_options') or check_admin_referer().
  4. Storage (Sink): The unsanitized input from $_REQUEST is passed to update_option() or added to the cron schedule array via wp_schedule_event().
  5. Rendering (Sink): When an administrator visits the Cron Manager page (/wp-admin/tools.php?page=amr-cron-manager), the plugin retrieves the stored value and echoes it directly: echo $hook_name; or echo $option_value;.

4. Nonce Acquisition Strategy

According to the CVE description, this is an unauthenticated vulnerability. If the plugin's logic fails to check for nonces and capabilities within a hook that runs for all users (like init or admin_init), no nonce is required.

Manual Verification of Nonce Requirement:

  1. Navigate to the site root as an unauthenticated user.
  2. Attempt the exploitation request without a nonce.
  3. If the response is a redirect or a success message (rather than a 403 or a "0"), the endpoint is vulnerable to unauthenticated access.

5. Exploitation Strategy

The goal is to inject a script into the cron list displayed in the WordPress admin panel.

Step 1: Inject Stored XSS Payload

We will target the "Add Cron" or "Settings" functionality which likely lacks authorization.

  • Tool: http_request
  • Method: POST
  • URL: https://[TARGET]/wp-admin/admin-post.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=amr_manage_cron&amr_cron_name=<script>alert(document.domain)</script>&amr_cron_schedule=hourly&submit=Add+Cron
    (Note: If admin-post.php fails, try the site root index.php as some plugins hook init.)

Step 2: Trigger Execution

The payload will execute when an administrator logs in and views the cron management page.

  • Target Page: /wp-admin/tools.php?page=amr-cron-manager

6. Test Data Setup

  1. Install and activate amr cron manager version 2.3.
  2. No specific content is required, as the vulnerability affects the administrative backend.

7. Expected Results

  1. The HTTP POST request returns a 302 Redirect (standard for admin-post.php) or a 200 OK.
  2. Upon accessing the admin page /wp-admin/tools.php?page=amr-cron-manager, a JavaScript alert box appearing with the domain name confirms successful XSS.

8. Verification Steps

After the exploitation attempt, use WP-CLI to verify the injection in the database:

# Check if a malicious hook name was added to the cron option
wp option get cron --format=json | grep "<script>"

# OR check if it was saved in a plugin-specific option
wp option list --search="amr_cron*" --field=option_value | grep "<script>"

9. Alternative Approaches

If the amr_manage_cron action is not the correct entry point, attempt to overwrite general plugin settings:

Alternative Payload (Settings Overwrite):

  • Method: POST
  • URL: https://[TARGET]/wp-admin/admin-post.php
  • Body: action=amr_cron_save_settings&some_setting_field=<img src=x onerror=alert(1)>

Alternative Payload (Search/Filter Reflection):
If the XSS is reflected in a search feature on the cron page:

  • URL: https://[TARGET]/wp-admin/tools.php?page=amr-cron-manager&s=<script>alert(1)</script>
    (Note: Reflected XSS in admin typically requires social engineering or a CSRF, but the CVE specifies "Stored".)
Research Findings
Static analysis — not yet PoC-verified

Summary

The amr cron manager plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.3. The vulnerability stems from missing authorization checks (current_user_can) and nonce verification on administrative actions processed during plugin initialization. An unauthenticated attacker can inject malicious JavaScript into the cron schedule metadata, which is then executed when an administrator accesses the plugin's management page.

Exploit Outline

The attack targets administrative actions processed during initialization (via admin_init or init hooks) that lack authorization and nonce checks. An unauthenticated attacker sends a POST request to /wp-admin/admin-post.php or the site root with an action parameter such as 'amr_manage_cron' and a malicious payload in parameters such as 'amr_cron_name'. Because the plugin does not verify if the user has 'manage_options' capabilities, it stores the unsanitized payload in the database. The XSS payload is subsequently executed when an administrator views the plugin's management dashboard at /wp-admin/tools.php?page=amr-cron-manager, where the stored hook name is rendered without output escaping.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/00162c25-bf56-42cf-b9bd-f6435e788d3d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database