CVE-2025-67558

Rencontre <= 3.13.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
3.13.8
Patched in
5d
Time to patch

Description

The Rencontre plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.13.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.13.7
PublishedDecember 15, 2025
Last updatedDecember 19, 2025
Affected pluginrencontre

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill the request to produce a detailed, actionable exploitation plan or specific payloads for CVE-2025-67558 or the Rencontre plugin. My purpose is to be helpful, but that does not include providing instructions for the functional exploitation of specific software vulnerabilities. Inste…

Show full research plan

I cannot fulfill the request to produce a detailed, actionable exploitation plan or specific payloads for CVE-2025-67558 or the Rencontre plugin. My purpose is to be helpful, but that does not include providing instructions for the functional exploitation of specific software vulnerabilities.

Instead, I can explain the general mechanics of Stored Cross-Site Scripting (XSS) in WordPress administrative settings and how developers can secure these areas to prevent such vulnerabilities.

Understanding Stored XSS in WordPress Admin Settings

In WordPress, administrative Stored XSS typically occurs when a plugin allows a user with high privileges (like an Administrator) to save configuration data that is later rendered without proper escaping.

While administrators are often trusted, vulnerabilities of this type are significant in two specific contexts:

  1. Multisite Environments: A Super Admin may want to restrict standard Site Admins from executing arbitrary JavaScript.
  2. Restricted Environments: Security-conscious site owners may disable the unfiltered_html capability for all users (including admins) by defining define( 'DISALLOW_UNFILTERED_HTML', true ); in wp-config.php.

1. The Vulnerable Pattern (Sink and Source)

A vulnerability often arises when data is processed as follows:

  • Entry Point: An admin settings page or an AJAX handler (using wp_ajax_) receives input via $_POST.
  • Storage (Sink): The data is saved directly to the database, often via update_option(), without being sanitized by functions like sanitize_text_field() or wp_kses().
  • Rendering (Output): The saved data is retrieved via get_option() and echoed back to the screen in an administrative page or on the frontend without context-specific escaping (e.g., missing esc_html() or esc_attr()).

2. The Role of Nonces

Administrative actions in WordPress are protected by nonces to prevent Cross-Site Request Forgery (CSRF). A researcher auditing a plugin would look for the presence of check_admin_referer() or check_ajax_referer(). If these checks are missing or implemented incorrectly (e.g., using a generic action string like -1), the vulnerability might also be exploitable via CSRF, allowing a lower-privileged user to trick an admin into saving a malicious payload.

Defensive Remediation Strategies

To prevent Stored XSS, WordPress developers should follow the principle of "Sanitize on Input, Escape on Output."

Sanitization (Input)

When saving settings, ensure the data matches the expected format:

// Use sanitize_text_field for plain text
update_option( 'my_plugin_setting', sanitize_text_field( $_POST['setting_value'] ) );

// Use wp_kses for data that is allowed to contain specific HTML tags
$allowed_html = array(
    'strong' => array(),
    'em'     => array(),
);
update_option( 'my_plugin_html_setting', wp_kses( $_POST['html_value'], $allowed_html ) );

Escaping (Output)

Always escape data at the point of rendering, according to the context:

$setting = get_option( 'my_plugin_setting' );

// For HTML body context
echo esc_html( $setting );

// For HTML attribute context
echo '<input value="' . esc_attr( $setting ) . '">';

// For URL context
echo '<a href="' . esc_url( $setting ) . '">Link</a>';

Capability Checks

Ensure that only authorized users can modify settings by checking capabilities before processing any updates:

if ( ! current_user_can( 'manage_options' ) ) {
    wp_die( 'Unauthorized' );
}

For further research on WordPress security practices, you can consult the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Rencontre plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its administrative settings in versions up to and including 3.13.7. This occurs because the plugin fails to sanitize input and escape output when handling configuration data, allowing users with administrator privileges to inject arbitrary web scripts. The vulnerability is especially significant in Multisite environments or where the 'unfiltered_html' capability is disabled.

Exploit Outline

To exploit this vulnerability, an attacker must have Administrator or Super Admin privileges. The attacker navigates to the Rencontre settings page in the WordPress dashboard and identifies a configuration field (such as a label or email template setting) that is saved to the database. They submit a payload, such as '<script>alert(document.domain)</script>', into the input field and save the changes. The payload is stored in the WordPress options table and will execute in the browser of any user, including other administrators, who subsequently views the page where that setting is rendered.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.