CVE-2025-68876

Invelity SPS connect <= 1.0.8 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Invelity SPS connect plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.8
PublishedDecember 26, 2025
Last updatedJanuary 5, 2026
Affected plugininvelity-sps-connect
Research Plan
Unverified

# Research Plan: CVE-2025-68876 - Invelity SPS connect Reflected XSS ## 1. Vulnerability Summary The **Invelity SPS connect** plugin (<= 1.0.8) is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability exists because the plugin accepts user-supplied input through web requests (likely…

Show full research plan

Research Plan: CVE-2025-68876 - Invelity SPS connect Reflected XSS

1. Vulnerability Summary

The Invelity SPS connect plugin (<= 1.0.8) is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability exists because the plugin accepts user-supplied input through web requests (likely via $_GET, $_POST, or $_REQUEST) and echoes this input back into the HTML response without sufficient sanitization (e.g., sanitize_text_field) or context-aware output escaping (e.g., esc_html, esc_attr). An unauthenticated attacker can craft a malicious URL containing a JavaScript payload that executes in the context of the victim's browser when visited.

2. Attack Vector Analysis

  • Endpoint: Likely a frontend page where a plugin shortcode is present, or a plugin-specific admin page.
  • Vulnerable Parameter: Likely a status message, error parameter, or search query (e.g., message, error, sps_status, or tab).
  • Authentication: Unauthenticated (for frontend reflection) or requiring an Admin/Editor victim to click a link (for admin-side reflection).
  • Preconditions: The plugin must be active. If the reflection occurs via a shortcode, a page containing that shortcode must exist.

3. Code Flow (Inferred)

Since source files are not provided, the following trace is based on standard WordPress Reflected XSS patterns in similar plugins:

  1. Entry Point: A user accesses a URL with a specific query parameter (e.g., ?sps_error=<script>alert(1)</script>).
  2. Hook: The plugin likely hooks into init, wp_enqueue_scripts, or a shortcode callback (e.g., add_shortcode('sps_connect', ...)) to process the request.
  3. Processing: The plugin retrieves the parameter: $error_msg = $_GET['sps_error']; (or similar).
  4. Sink: The plugin echoes the variable directly into the HTML: echo '<div class="error">' . $error_msg . '</div>'; without calling esc_html().

Agent Task: Use the following command to find the exact sink:

grep -rP "echo\s+\\\$(_GET|_POST|_REQUEST)" /var/www/html/wp-content/plugins/invelity-sps-connect/

4. Nonce Acquisition Strategy

Reflected XSS typically does not require a nonce because it exploits the rendering of a request parameter rather than a state-changing action. However, if the reflection happens within an AJAX handler registered via wp_ajax_nopriv_, a nonce might be required.

If a nonce is required:

  1. Identify Shortcode: Find shortcodes in the plugin: grep -r "add_shortcode" .
  2. Create Page: wp post create --post_type=page --post_status=publish --post_title="SPS Test" --post_content='[SHORTCODE_NAME]'
  3. Find JS Variable: Search for wp_localize_script in the source to find the object name: grep -r "wp_localize_script" .
  4. Extract via Browser:
    • Navigate to the created page.
    • browser_eval("window.LOCALIZATION_OBJECT?.nonce_key") (e.g., window.sps_connect_vars?.nonce).

5. Exploitation Strategy

The goal is to demonstrate reflected XSS by injecting a script that executes in the browser.

  • Step 1: Discover Vulnerable Parameter
    Test common parameters found via grep:
    • http://localhost:8080/?sps_error=CANARY<script>alert(1)</script>
    • http://localhost:8080/?message=CANARY<script>alert(1)</script>
  • Step 2: Construct Payload
    Use a simple alert to prove execution: <script>alert(document.domain)</script>.
    If the reflection is inside an attribute (e.g., value="..."), use: "><script>alert(1)</script>.
  • Step 3: Execution
    Use the http_request tool to simulate the victim visiting the link and check if the payload is reflected unescaped in the response body.

Target HTTP Request (Example):

GET /?sps_error=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0

6. Test Data Setup

  1. Install/Activate Plugin: Ensure invelity-sps-connect is installed and active.
  2. Identify Frontend Entry Point: Search for shortcodes used by the plugin.
    grep -rn "add_shortcode" /var/www/html/wp-content/plugins/invelity-sps-connect/
    
  3. Place Shortcode: Create a page using the found shortcode to ensure all plugin logic is loaded.
    wp post create --post_type=page --post_status=publish --post_content='[invelity_sps_connect]' --post_title='SPS'
    

7. Expected Results

  • The HTTP response should contain the literal string <script>alert(1)</script> or its attribute-breaking equivalent.
  • The response Content-Type must be text/html.
  • If viewed in a browser, an alert box should appear.

8. Verification Steps

  1. Manual Source Check: After finding the vulnerable parameter, confirm the PHP code responsible:
    # Example: if the parameter is 'msg'
    grep -rn "msg" /var/www/html/wp-content/plugins/invelity-sps-connect/ | grep "echo"
    
  2. Validate Lack of Escaping: Confirm the code does not use esc_html(), esc_attr(), or wp_kses() on the reflected variable.

9. Alternative Approaches

  • Admin-Side Reflection: If no frontend reflection is found, check admin menu pages (add_menu_page). Use browser_navigate as an administrator to wp-admin/admin.php?page=invelity-sps-connect&error=<script>alert(1)</script>.
  • Attribute Injection: If <script> is blocked or filtered, try onmouseover:
    ?param=" onmouseover="alert(1)" style="display:block;width:100%;height:100%;position:fixed;top:0;left:0;
  • Template Directives: Check if the plugin includes any custom templates that might use $_SERVER['REQUEST_URI'] or $_SERVER['PHP_SELF'] unsafely.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Invelity SPS connect plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 1.0.8. This is due to the plugin's failure to sanitize and escape user-provided input from query parameters before displaying it on the page.

Exploit Outline

To exploit this vulnerability, an attacker identifies a parameter (such as 'sps_error', 'message', or 'sps_status') reflected in the plugin's frontend or administrative output. The attacker then crafts a URL containing a malicious script payload, for example: `?sps_error=<script>alert(1)</script>`. Finally, the attacker tricks a victim (such as a site administrator) into clicking the link, causing the script to execute in the victim's browser context. While the attacker requires no authentication, the exploit relies on a victim performing an action like clicking a link.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.