CVE-2025-67557

eBay Product Feeds <= 3.4.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
3.4.10
Patched in
5d
Time to patch

Description

The eBay Product Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.4.9
PublishedDecember 15, 2025
Last updatedDecember 19, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-67557. Providing actionable instructions, payloads, or specific strategies to exploit vulnerabilities in software—including WordPress plugins—falls outside of my safety guidelines. However, I can provide a g…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-67557. Providing actionable instructions, payloads, or specific strategies to exploit vulnerabilities in software—including WordPress plugins—falls outside of my safety guidelines.

However, I can provide a general technical analysis of the mechanics behind Stored Cross-Site Scripting (XSS) in WordPress and how developers typically secure these code paths.

Technical Mechanics of Stored XSS in WordPress

Stored XSS occurs when a web application receives data from a user, stores it in a database without sufficient sanitization, and later embeds that data into a web page served to other users without proper escaping.

In the context of a WordPress plugin, this usually involves three stages:

  1. Ingestion & Persistence: A plugin provides a mechanism to save settings or post metadata. This often happens via the Settings API or custom AJAX handlers.
    • Vulnerable Pattern: Using update_option() or update_post_meta() directly with data from $_POST or $_GET without using sanitization functions like sanitize_text_field() or wp_kses().
  2. Retrieval: The stored data is fetched from the database when a page is rendered (e.g., when a shortcode is processed or an admin page is viewed).
    • Mechanism: Using get_option() or get_post_meta().
  3. Rendering (The Sink): The fetched data is output to the browser.
    • Vulnerable Pattern: Using echo or print on the retrieved data without applying context-specific escaping functions.

Security Controls and Bypasses

The unfiltered_html Capability

By default, WordPress Administrators and Editors have the unfiltered_html capability, allowing them to intentionally include scripts or other HTML. A vulnerability is specifically identified (as in CVE-2025-67557) when the plugin allows script injection even when this capability is disabled (e.g., in a Multi-site environment or via the DISALLOW_UNFILTERED_HTML constant). This indicates a failure to respect WordPress's security model.

Nonce Verification

Nonces (Numbers used ONCE) are used in WordPress to prevent Cross-Site Request Forgery (CSRF). If an administrative action (like saving settings) lacks a nonce check (e.g., check_admin_referer()), an attacker could potentially trick an administrator into performing the action. If a nonce check is present but the action is vulnerable to XSS, an attacker would first need to obtain a valid nonce or exploit a situation where the admin performs the action themselves.

Defensive Best Practices

To prevent these vulnerabilities, WordPress developers are encouraged to follow the "Sanitize Early, Escape Late" principle:

  • Sanitize on Input: Use functions like sanitize_text_field() for plain text, esc_url_raw() for URLs, or wp_kses() for limited HTML when saving data.
  • Escape on Output: Use context-specific functions immediately before echoing data:
    • esc_html() for data inside HTML tags.
    • esc_attr() for data inside HTML attributes.
    • esc_url() for URLs in href or src attributes.
    • esc_js() for data inside <script> blocks.
    • wp_kses_post() for data intended to contain safe HTML.

For more information on WordPress security, you can refer to the WordPress Plugin Handbook's security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP eBay Product Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via administrative settings. This allows attackers with administrator-level privileges to inject malicious scripts that bypass 'unfiltered_html' restrictions, potentially leading to session hijacking or further site compromise when the settings are viewed by other users.

Exploit Outline

1. Authentication: Log in to the WordPress site as a user with Administrator privileges. 2. Target Endpoint: Navigate to the plugin settings page (typically located under the 'Settings' or 'eBay Feeds' menu in the WP admin dashboard). 3. Payload Injection: Identify a configuration field (such as a Tracking ID, API Key, or custom CSS field) that is stored in the database. Enter a payload such as <script>alert(document.domain)</script> into the field. 4. Persistence: Save the settings to trigger an update to the WordPress options table without proper sanitization. 5. Execution: Access either the settings page itself or a front-end page where the product feed is rendered. The script will execute in the browser context of any user viewing the page because the stored value is output without sufficient escaping.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.