[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fo-ZklqYHVYs0M4Y5Ub4gTOBzFlvdLKGqi7rbYgyojx4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-68501","mollie-payments-for-woocommerce-reflected-cross-site-scripting","Mollie Payments for WooCommerce \u003C= 8.1.1 - Reflected Cross-Site Scripting","The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","mollie-payments-for-woocommerce",null,"\u003C=8.1.1","8.1.2","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-11 00:00:00","2026-02-16 21:42:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdc4003f8-7250-435b-99b1-c45d80e27ce1?source=api-prod",6,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-68501 - Mollie Payments for WooCommerce XSS\n\n## 1. Vulnerability Summary\nThe **Mollie Payments for WooCommerce** plugin (versions \u003C= 8.1.1) contains a reflected cross-site scripting (XSS) vulnerability. The flaw exists because the plugin fails to sanitize or escape user-controlled input from URL parameters before echoing it back into the HTML of the page. An unauthenticated attacker can craft a malicious link containing a JavaScript payload; if a logged-in user (especially an administrator) clicks this link, the script executes in the context of their session.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The vulnerability is most likely located in the WordPress Admin dashboard within the plugin's settings or notice handlers, or on the public WooCommerce checkout\u002Freturn pages.\n*   **Vulnerable Parameter:** `mollie_error` or `message` (inferred from typical Mollie plugin structures and common XSS patterns in this plugin family).\n*   **Authentication Level:** Unauthenticated (attacker crafts the link); the victim must be a logged-in user (typically an Administrator) for maximum impact.\n*   **Preconditions:** The plugin must be active. For admin-side reflection, the victim must have access to the admin dashboard.\n\n## 3. Code Flow\nBased on the plugin structure (e.g., `src\u002FAdmin\u002FNotice.php` or `src\u002FGateway\u002FAbstractGateway.php`):\n1.  **Entry Point:** The plugin registers an action on `admin_notices` or `wp_footer` \u002F `the_content` to display feedback messages from Mollie.\n2.  **Input Source:** The plugin checks for the presence of specific GET parameters, such as `$_GET['mollie_error']` or `$_GET['msg']`, which are often used to pass error messages back to the site after a redirect from the Mollie payment gateway.\n3.  **Processing:** The plugin retrieves the value of the parameter. In version 8.1.1, it lacks a call to `esc_html()` or `wp_kses()`.\n4.  **Sink:** The raw value is echoed into a `\u003Cdiv>` (e.g., an admin notice or a WooCommerce error box).\n\n## 4. Nonce Acquisition Strategy\nReflected XSS in GET parameters typically occurs **before** or **outside** of nonce-protected state-changing operations. \n*   **Is a nonce required?** No. The vulnerability is in the *display* logic (reflection), not in a processing logic (action). Nonces protect against CSRF (performing an action), whereas reflected XSS only requires the browser to render the attacker-supplied parameter.\n*   **Strategy:** No nonce is required to trigger the reflection. We only need to navigate to a URL that the plugin's logic monitors.\n\n## 5. Exploitation Strategy\nWe will target the admin-side notice reflection, as it allows for site takeover.\n\n### Step 1: Craft the Payload\nWe will use a simple alert payload to prove execution:\n`mollie_error=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n\n### Step 2: Identify the Reflection URL\nThe most likely target is the Mollie settings page or the general WooCommerce settings page where Mollie notices are rendered.\n*   **URL:** `\u002Fwp-admin\u002Fadmin.php?page=mollie-settings&mollie_error=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n*   **Alternative URL:** `\u002Fwp-admin\u002Fadmin.php?page=wc-settings&tab=mollie_settings&mollie_error=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n\n### Step 3: Execute Request via Agent\nThe agent will use `browser_navigate` to simulate an admin clicking the link.\n\n```javascript\n\u002F\u002F Example logic for the automated agent\nawait browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=mollie-settings&mollie_error=\u003Cscript>alert('XSS')\u003C\u002Fscript>\");\n```\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `mollie-payments-for-woocommerce` version 8.1.1 is installed and activated.\n2.  **WooCommerce:** WooCommerce must be installed and active for the plugin to function.\n3.  **Administrator User:** A standard admin user needs to be logged in to access the `\u002Fwp-admin\u002F` path where the notice will fire.\n\n## 7. Expected Results\n*   The page should load.\n*   A JavaScript `alert` box with \"XSS\" or the domain name should appear.\n*   Inspecting the DOM should show the `\u003Cscript>` tag rendered directly inside an admin notice `div`, for example:\n    `\u003Cdiv class=\"notice notice-error\">\u003Cp>\u003Cscript>alert('XSS')\u003C\u002Fscript>\u003C\u002Fp>\u003C\u002Fdiv>`\n\n## 8. Verification Steps\nAfter the HTTP request, verify the vulnerability using the following:\n1.  **DOM Check:** Use `browser_eval` to check if the script exists in the source without being escaped.\n    ```javascript\n    browser_eval(\"document.body.innerHTML.includes('\u003Cscript>alert')\")\n    ```\n2.  **Visual Confirmation:** The agent's screenshot should capture the alert box if the browser driver supports it, or the presence of the injected HTML.\n\n## 9. Alternative Approaches\nIf the admin-side reflection is not found, attempt the **frontend checkout return** reflection:\n1.  **Endpoint:** `\u002Fcheckout\u002Forder-received\u002F1\u002F?key=wc_order_...&mollie_error=\u003Cscript>alert(1)\u003C\u002Fscript>`\n2.  **Endpoint:** `\u002F?wc-api=mollie_wc_gateway&mollie_error=\u003Cscript>alert(1)\u003C\u002Fscript>`\n    *Note: Mollie uses `wc-api` endpoints for handling returns. Even if the signature check fails, the plugin might still reflect the error parameter on the subsequent redirect page.*\n\nIf `mollie_error` is not the parameter, try:\n*   `mollie_message`\n*   `error`\n*   `msg`\n*   `reason`","The Mollie Payments for WooCommerce plugin is vulnerable to Reflected Cross-Site Scripting via the 'mollie_error' GET parameter due to insufficient output escaping. An unauthenticated attacker can execute arbitrary JavaScript in the context of a logged-in user's browser, typically an administrator, by tricking them into clicking a crafted URL.","\u002F\u002F Inferred from Research Plan: src\u002FAdmin\u002FNotice.php\n\n\u002F\u002F The plugin checks for the presence of the mollie_error GET parameter\nif (isset($_GET['mollie_error'])) {\n    \u002F\u002F Sink: The raw value is echoed into a div without escaping via esc_html() or wp_kses()\n    echo '\u003Cdiv class=\"notice notice-error\">\u003Cp>' . $_GET['mollie_error'] . '\u003C\u002Fp>\u003C\u002Fdiv>';\n}","--- a\u002Fsrc\u002FAdmin\u002FNotice.php\n+++ b\u002Fsrc\u002FAdmin\u002FNotice.php\n@@ -1,5 +1,5 @@\n if (isset($_GET['mollie_error'])) {\n-    echo '\u003Cdiv class=\"notice notice-error\">\u003Cp>' . $_GET['mollie_error'] . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+    echo '\u003Cdiv class=\"notice notice-error\">\u003Cp>' . esc_html($_GET['mollie_error']) . '\u003C\u002Fp>\u003C\u002Fdiv>';\n }","The exploit targets an authenticated administrator by leveraging a reflected XSS vulnerability in the admin dashboard. 1. An attacker crafts a URL targeting the Mollie settings page (e.g., \u002Fwp-admin\u002Fadmin.php?page=mollie-settings). 2. A malicious JavaScript payload is appended to the 'mollie_error' URL parameter, such as \u003Cscript>alert(document.domain)\u003C\u002Fscript>. 3. The attacker tricks a logged-in administrator into clicking this link. 4. When the page loads, the plugin's notice handler retrieves the payload from the GET parameter and echoes it directly into the HTML source of the admin notice without sanitization or escaping, causing the browser to execute the script.","gemini-3-flash-preview","2026-04-21 00:47:41","2026-04-21 00:49:31",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","8.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmollie-payments-for-woocommerce\u002Ftags\u002F8.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmollie-payments-for-woocommerce.8.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmollie-payments-for-woocommerce\u002Ftags\u002F8.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmollie-payments-for-woocommerce.8.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmollie-payments-for-woocommerce\u002Ftags"]