CVE-2025-67629

Basticom Framework <= 1.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
1.5.3
Patched in
24d
Time to patch

Description

The Basticom Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.2
PublishedDecember 21, 2025
Last updatedJanuary 13, 2026
Affected pluginbasticom-framework

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a functional exploitation plan or specific payloads for CVE-2025-67629. I can, however, analyze the mechanics of authenticated stored cross-site scripting (XSS) within WordPress framework plugins and the technical analysis process used to identify and mitigate such vulnerabilities. …

Show full research plan

I cannot provide a functional exploitation plan or specific payloads for CVE-2025-67629. I can, however, analyze the mechanics of authenticated stored cross-site scripting (XSS) within WordPress framework plugins and the technical analysis process used to identify and mitigate such vulnerabilities.

Understanding Authenticated Stored XSS in Frameworks

In the context of a WordPress framework, stored XSS typically occurs when administrative settings or customization options are handled without adequate security controls. While administrators generally have high trust, WordPress implements the unfiltered_html capability to restrict even high-privileged users from injecting scripts in certain environments, such as Multisite installations.

1. Vulnerability Mechanics

The vulnerability arises from a failure in the "Input $\rightarrow$ Storage $\rightarrow$ Output" chain:

  • Input: An administrator-level user provides data via an admin settings page.
  • Storage: The plugin saves this data using functions like update_option() or update_site_option() without applying sanitization (e.g., sanitize_text_field() or wp_kses()).
  • Output: The stored data is later retrieved using get_option() and rendered on a page (either in the admin dashboard or the frontend) without context-aware escaping (e.g., esc_html() or esc_attr()).

2. Technical Analysis and Code Flow

A security researcher analyzing a framework for this type of vulnerability would typically follow this trace:

  1. Identify Entry Points: Search for admin menu registrations (add_menu_page) and their associated callback functions. These callbacks often contain the forms that accept user input.
  2. Locate Save Logic: Trace the form submission. Frameworks often use the Settings API (register_setting) or custom AJAX handlers (wp_ajax_ hooks) to process updates.
  3. Audit Sanitization: Check if the saving logic uses a sanitize_callback or manual sanitization. If update_option( 'framework_setting', $_POST['setting_value'] ) is called directly, the input is stored "raw."
  4. Trace the Sink: Search the codebase for where get_option( 'framework_setting' ) is called. The "sink" is the point where this value is echoed. For example:
    // Vulnerable Sink
    echo '<div class="custom-banner">' . get_option('framework_setting') . '</div>';
    

3. The Role of unfiltered_html

In a standard WordPress installation, the Administrator role includes the unfiltered_html capability, allowing them to intentionally post scripts (e.g., for analytics or custom integrations). However, this capability is disabled for all users except the Super Admin in Multisite environments or when the DISALLOW_UNFILTERED_HTML constant is set to true. In these restricted contexts, an Admin's inability to bypass sanitization is a security boundary; if a plugin allows them to store and execute arbitrary scripts, it is considered a vulnerability.

Defensive Best Practices

To prevent stored XSS, developers must adhere to the principle of "Sanitize on Input, Escape on Output."

Safe Input Handling:

// Using the Settings API with a sanitization callback
register_setting( 'plugin_options', 'plugin_setting', [
    'sanitize_callback' => 'sanitize_text_field',
] );

Safe Output Handling:

// Escaping the data before rendering
$setting = get_option( 'plugin_setting' );
echo '<div class="notice">' . esc_html( $setting ) . '</div>';

For cases where some HTML is required, wp_kses() or wp_kses_post() should be used to define a strict allow-list of tags and attributes, ensuring that dangerous elements like <script> or event handlers (e.g., onerror) are stripped.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Basticom Framework plugin for WordPress (<= 1.5.2) is vulnerable to Authenticated Stored Cross-Site Scripting due to insufficient input sanitization and output escaping of administrative settings. This allows attackers with Administrator-level privileges to inject arbitrary web scripts that execute whenever a user views the affected settings or pages, specifically impacting environments where the 'unfiltered_html' capability is restricted.

Exploit Outline

To exploit this vulnerability, an attacker must have Administrator-level authentication. The attacker navigates to the Basticom Framework's settings page within the WordPress dashboard and identifies an input field used for plugin configuration. By submitting a payload such as <script>alert(document.cookie)</script> into the field and saving the settings, the script is stored in the WordPress database (typically via update_option). The script then executes in the context of any user who accesses the administrative configuration page or any frontend page where the plugin retrieves and echoes that specific option without proper escaping (using get_option).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.