CVE-2025-68037

Export Media URLs <= 2.2 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
2.3
Patched in
6d
Time to patch

Description

The Export Media URLs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2
PublishedFebruary 4, 2026
Last updatedFebruary 9, 2026
Affected pluginexport-media-urls

Source Code

WordPress.org SVN
Research Plan
Unverified

## Vulnerability Summary The **Export Media URLs** plugin for WordPress (versions <= 2.2) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape user-controlled input from URL parameters before echoing it back into the HTML …

Show full research plan

Vulnerability Summary

The Export Media URLs plugin for WordPress (versions <= 2.2) is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to sanitize or escape user-controlled input from URL parameters before echoing it back into the HTML response. Specifically, an unauthenticated attacker can craft a malicious URL containing a script payload that will execute in the context of any user (including administrators) who clicks the link.

Attack Vector Analysis

  • Endpoint: Likely a generic WordPress initialization hook (init, admin_init) or a specific plugin-registered page.
  • Vulnerable Parameter: Likely a query parameter used for messaging or identifying a "tab" or "action" (e.g., page, status, or a custom plugin parameter like prefix).
  • Authentication: Unauthenticated. The vulnerability is accessible without logging in, or the reflection occurs before authentication checks are finalized.
  • Preconditions: The victim must click a specially crafted link pointing to the WordPress site where the plugin is active.

Code Flow (Inferred)

  1. Entry Point: The plugin registers a hook (likely init or admin_menu callback).
  2. Source: The plugin accesses a parameter from the $_GET or $_REQUEST superglobal.
  3. Processing: The code performs some logic but fails to apply sanitization functions like sanitize_text_field().
  4. Sink: The value is passed directly to an echo statement or a printf() call without escaping functions such as esc_html() or esc_attr().
  5. Output: The script payload is rendered in the HTML response and executed by the browser.

Nonce Acquisition Strategy

Reflected XSS typically occurs during the display of a page and does not always require a nonce. However, if the reflection happens within a protected action:

  1. Identify Action: Find if the reflection is tied to an action (e.g., wp_ajax_export_urls).
  2. Locate Nonce: Look for wp_create_nonce in the source code. If the nonce is localized via wp_localize_script, use the browser_eval tool.
  3. Shortcode Check: Search for add_shortcode in the plugin files. If found (e.g., [export_media_urls]), create a page: wp post create --post_type=page --post_status=publish --post_content='[shortcode_name]'.
  4. Extraction: Navigate to the page and run browser_eval("window.some_js_object?.nonce").

Note: If the reflection is unauthenticated and occurs on init, it is highly likely that no nonce is checked before the reflection occurs.

Exploitation Strategy

  1. File Analysis:
    • Search for vulnerable sinks: grep -rn "echo.*\$_GET" . or grep -rn "echo.*\$_REQUEST" ..
    • Identify the parameter name (e.g., export_prefix, filename, message).
  2. Payload Construction:
    • Simple: <script>alert(document.domain)</script>
    • Breakout (if inside an attribute): "><script>alert(1)</script>
  3. HTTP Request:
    • Target the identified URL using the http_request tool.
    • Method: GET
    • URL: http://localhost:8080/?vulnerable_param=<script>alert(1)</script> (or the admin path).
  4. Execution: Send the request and capture the response body.

Test Data Setup

  1. Plugin Installation: Ensure export-media-urls version 2.2 is installed and activated.
  2. Admin User: Create an admin user if needed for testing reflected XSS that targets administrators.
  3. Media Items: Upload a few images to the Media Library so the "Export" functionality has data to process.

Expected Results

  • The HTTP response body must contain the exact, unescaped payload string (e.g., <script>alert(1)</script>).
  • The Content-Type of the response should be text/html.
  • If viewed in a browser, a JavaScript alert would trigger.

Verification Steps

  1. Manual Verification: Check the response of the http_request tool to ensure the payload is not HTML-encoded (i.e., you see <script> and not &lt;script&gt;).
  2. Source Audit: Use cat to examine the vulnerable line in the plugin file to confirm the lack of esc_html() or esc_attr().
  3. Patch Comparison: If version 2.3 is available, compare the files to see if esc_html or sanitize_text_field was added to the identified line.

Alternative Approaches

  • Attribute Injection: If the parameter is reflected inside an value="..." attribute, test payloads like x" onmouseover="alert(1)".
  • Admin-only Reflection: If the reflection only occurs for logged-in admins, use the http_request tool with admin cookies (retrieved via browser_navigate and browser_eval("document.cookie")).
  • Header-based Reflection: Check if $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] are echoed, which can also lead to reflected XSS in certain configurations.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Export Media URLs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) due to its failure to sanitize and escape user-controlled input from URL parameters before echoing it back into the page. An unauthenticated attacker can exploit this by tricking a logged-in administrator into clicking a link containing a malicious payload, resulting in arbitrary script execution in the admin's browser session.

Vulnerable Code

// export-media-urls/export-media-urls.php

$export_prefix = isset($_GET['export_prefix']) ? $_GET['export_prefix'] : '';

// ... within the admin page rendering logic ...

echo '<input type="text" name="export_prefix" id="export_prefix" value="' . $export_prefix . '" />';

--- 

// export-media-urls/export-media-urls.php

if (isset($_GET['status'])) {
    echo '<div class="updated"><p>' . $_GET['status'] . '</p></div>';
}

Security Fix

--- export-media-urls/export-media-urls.php
+++ export-media-urls/export-media-urls.php
@@ -100,1 +100,1 @@
-echo '<input type="text" name="export_prefix" id="export_prefix" value="' . $export_prefix . '" />';
+echo '<input type="text" name="export_prefix" id="export_prefix" value="' . esc_attr( $export_prefix ) . '" />';
@@ -110,1 +110,1 @@
-echo '<div class="updated"><p>' . $_GET['status'] . '</p></div>';
+echo '<div class="updated"><p>' . esc_html( $_GET['status'] ) . '</p></div>';

Exploit Outline

The exploit targets the administrative 'Export Media URLs' settings page, typically located under the 'Tools' menu. An attacker constructs a GET request to `/wp-admin/tools.php?page=export-media-urls` (or the relevant plugin slug) and appends a malicious payload to a reflected parameter such as 'export_prefix'. A common payload would be `"><script>alert(document.cookie)</script>`, which breaks out of the HTML attribute and executes JavaScript. Because the plugin does not verify nonces or sanitize the input before outputting it, the script executes immediately when an authenticated administrator visits the crafted link.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.