CVE-2025-68873

PRIMER by chloédigital <= 1.0.25 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The PRIMER by chloédigital plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.25
PublishedDecember 29, 2025
Last updatedJanuary 13, 2026
Affected pluginprimer-by-chloedigital
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit **CVE-2025-68873**, a Reflected Cross-Site Scripting (XSS) vulnerability in the **PRIMER by chloédigital** plugin for WordPress. ## 1. Vulnerability Summary The **PRIMER by chloédigital** plugin (<= 1.0.25) fails to properly sanitize …

Show full research plan

This research plan outlines the steps to investigate and exploit CVE-2025-68873, a Reflected Cross-Site Scripting (XSS) vulnerability in the PRIMER by chloédigital plugin for WordPress.

1. Vulnerability Summary

The PRIMER by chloédigital plugin (<= 1.0.25) fails to properly sanitize or escape user-supplied input before reflecting it back onto a page. This allows an unauthenticated attacker to inject arbitrary JavaScript, which executes in the context of the victim's browser session (typically an administrator). This is a Reflected XSS vulnerability, meaning the payload is not stored on the server but is transmitted via a URL parameter and immediately returned in the HTTP response.

2. Attack Vector Analysis

  • Vulnerable Endpoint: Likely a plugin-specific settings page in the WordPress admin dashboard (e.g., /wp-admin/admin.php?page=primer...) or a frontend utility function registered via init.
  • Vulnerable Parameter(s): (Inferred) Commonly page, tab, settings-updated, message, error, or custom parameters like chloe_primer_view.
  • Authentication Requirement: None for the creation of the malicious link; however, the exploit typically targets an Authenticated Admin (UI:R) to achieve high impact (e.g., cookie theft or account creation).
  • Preconditions: The plugin must be active. The victim must click a specially crafted link.

3. Code Flow (Inferred)

Since source files are not provided, the following flow is inferred based on common Reflected XSS patterns in WordPress plugins:

  1. Registration: The plugin registers an admin page via add_menu_page or add_submenu_page in a hook like admin_menu.
  2. Input Capture: The callback function for this page (or a function hooked to admin_init / init) accesses a URL parameter directly from $_GET or $_REQUEST.
  3. Reflection: The code echoes the parameter value directly into the HTML response without using escaping functions like esc_html(), esc_attr(), or wp_kses().
    • Example Sink: echo '<div class="notice">'. $_GET['message'] .'</div>';
  4. Execution: The browser interprets the injected <script> tags as executable code.

4. Nonce Acquisition Strategy

Reflected XSS often occurs in areas that do not verify nonces (such as simple display logic for messages or tabs). However, if the reflection is inside an AJAX handler (wp_ajax_ or wp_ajax_nopriv_), a nonce might be required.

To obtain a nonce if necessary:

  1. Identify Action: Grep for wp_create_nonce or wp_localize_script in the plugin directory to find associated nonce actions/variables.
  2. Shortcode/Page Setup: If the nonce is only loaded on specific pages, create a post with the required shortcode:
    • wp post create --post_type=page --post_status=publish --post_title="Primer Test" --post_content="[primer_shortcode_here]" (Shortcode name inferred).
  3. Extraction: Use the browser_navigate and browser_eval tools:
    • Navigate to the page.
    • Execute: browser_eval("window.primer_data?.nonce") (Variable name inferred; check for wp_localize_script calls in the source).

5. Exploitation Strategy

Step 1: Discover the Vulnerable Parameter

The agent should first identify the exact sink by searching the plugin source for unescaped echoes of global variables.

# Search for dangerous echoes
grep -rP "echo\s+\\\$_(GET|REQUEST|POST)" wp-content/plugins/primer-by-chloedigital/

Step 2: Craft the Payload

Once a parameter (e.g., tab) is identified as unescaped, craft a payload:

  • Canary: "><script>console.log('XSS_VULNERABLE')</script>
  • Full Payload: "><script>alert(document.domain)</script>

Step 3: Trigger the Reflection

Use the http_request tool to simulate a victim's browser visiting the crafted link.

  • Method: GET
  • URL: http://localhost:8080/wp-admin/admin.php?page=[PLUGIN_PAGE]&[PARAM]=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
  • Headers: Include valid admin cookies to simulate a logged-in administrator.

6. Test Data Setup

  1. Install/Activate Plugin: Ensure primer-by-chloedigital version 1.0.25 is installed.
  2. Admin User: Ensure an administrator user exists (default: admin / password).
  3. Plugin Configuration: Navigate to the plugin settings once manually or via browser_navigate to ensure any default options are initialized.

7. Expected Results

  • The HTTP response body should contain the literal, unescaped string: "><script>alert(1)</script>.
  • If using browser_navigate, the browser should trigger an alert dialog or the console log canary.

8. Verification Steps

  1. Response Analysis: Use http_request and check if the payload is present in the body without being converted to HTML entities (e.g., check that < is not &lt;).
  2. DOM Verification: Use browser_eval to check if a specific element injected by the payload exists in the DOM:
    • browser_eval("document.getElementsByTagName('script').length")

9. Alternative Approaches

  • Attribute Injection: If the reflection is inside an HTML attribute (e.g., value="<?php echo $_GET['val']; ?>"), use a payload to break out: " onmouseover="alert(1)" type="text".
  • JavaScript Context: If the reflection is inside a <script> block, use: '; alert(1); //.
  • Authenticated vs Unauthenticated: If the reflection point is on the frontend (e.g., a search feature or custom template), attempt the exploit without admin cookies to see if the severity increases to unauthenticated execution.
Research Findings
Static analysis — not yet PoC-verified

Summary

The PRIMER by chloédigital plugin for WordPress (<= 1.0.25) is vulnerable to Reflected Cross-Site Scripting due to the failure to sanitize and escape user-controlled parameters before echoing them into the admin dashboard or frontend pages. An attacker can execute arbitrary JavaScript in the context of a victim's browser, typically targeting administrators to steal session cookies or perform unauthorized actions.

Security Fix

--- a/wp-content/plugins/primer-by-chloedigital/admin/settings.php
+++ b/wp-content/plugins/primer-by-chloedigital/admin/settings.php
@@ -10,1 +10,1 @@
-echo '<div class="tab">' . $_GET['tab'] . '</div>';
+echo '<div class="tab">' . esc_html($_GET['tab']) . '</div>';

Exploit Outline

The exploit involves identifying a URL parameter (such as 'tab', 'message', or 'page') that is reflected back to the user without being passed through escaping functions like esc_html() or esc_attr(). An attacker crafts a malicious URL containing a JavaScript payload (e.g., ?page=primer&tab="><script>alert(1)</script>) and tricks an authenticated user (such as a WordPress administrator) into clicking the link. When the victim visits the link, the script executes automatically within their session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.