Responsive Pricing Table <= 5.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency'
Description
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=5.1.12Source Code
WordPress.org SVNThis research plan outlines the methodology for analyzing and verifying CVE-2025-15058, a Stored Cross-Site Scripting (XSS) vulnerability in the "Responsive Pricing Table" plugin. This plan is designed for execution by an automated security agent in a controlled, isolated environment. ### 1. Vulner…
Show full research plan
This research plan outlines the methodology for analyzing and verifying CVE-2025-15058, a Stored Cross-Site Scripting (XSS) vulnerability in the "Responsive Pricing Table" plugin. This plan is designed for execution by an automated security agent in a controlled, isolated environment.
1. Vulnerability Summary
- ID: CVE-2025-15058
- Vulnerability Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Stored XSS)
- Affected Parameter:
table_currency - Requirement: Authenticated (Contributor+)
- Root Cause: The plugin fails to sanitize the
table_currencyfield when saving pricing table settings and subsequently fails to escape the value when rendering the pricing table on the frontend or in the admin dashboard.
2. Attack Vector Analysis
- Target Endpoint:
/wp-admin/post.php(for updating Pricing Table custom post types) or potentially a dedicated AJAX handler. - Custom Post Type:
rpt_pricing_table(inferred from plugin slugdk-pricr-responsive-pricing-table). - Action:
editpost(standard WP) or a plugin-specific saving action. - Vulnerable Parameter:
table_currency. - Preconditions: The attacker must have at least Contributor-level access to create or edit pricing tables.
3. Code Flow (Inferred)
- Entry Point: The user submits a POST request to save a pricing table. The request includes the
table_currencyparameter. - Processing (Source): The plugin catches the save event (likely via a
save_posthook or an AJAX action). - Storage: The plugin retrieves
$_POST['table_currency']and stores it in the database usingupdate_post_meta()without applyingsanitize_text_field()orwp_kses(). - Retrieval: When a user visits a page containing the pricing table shortcode (e.g.,
[rpt name="..."]), the plugin callsget_post_meta()to retrieve the currency value. - Output (Sink): The retrieved value is echoed directly into the HTML output (likely within a
<span>or<div>tag) without usingesc_html()oresc_attr(), allowing injected HTML/JavaScript to execute.
4. Nonce Acquisition Strategy
To interact with the pricing table settings, a WordPress nonce is required.
- Shortcode Identification: The primary shortcode for this plugin is
[rpt]. - Setup: Create a test page containing the shortcode:
wp post create --post_type=page --post_status=publish --post_title="Pricing Test" --post_content='[rpt name="test-table"]' - Navigation: Use
browser_navigateto view the newly created page. - Extraction: The plugin likely localizes scripts for the frontend or admin editor. Check for common localization objects:
browser_eval("window.rpt_ajax?.nonce")(inferred)browser_eval("window.rpt_params?.nonce")(inferred)
- Admin Context: If exploiting via the admin dashboard, the
_wpnoncefound in thepost-new.php?post_type=rpt_pricing_tablepage source should be used for thepost.phprequest.
5. Exploitation Strategy
The goal is to demonstrate that the table_currency field can store and execute arbitrary HTML/JavaScript.
Step 1: Create a Pricing Table
- Endpoint:
/wp-admin/post.php - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Parameters:
action:editpostpost_ID:[POST_ID]_wpnonce:[EXTRACTED_NONCE]table_currency:"><b id="xss-verify">STAG_XSS_TEST</b>(Using a benign HTML tag to verify injection)
Step 2: Trigger the Payload
- Navigate to the frontend page where the
[rpt]shortcode is deployed. - Alternatively, view the "All Pricing Tables" list in the WordPress admin if the currency is reflected there.
6. Test Data Setup
- User: Create a user with the
contributorrole. - Plugin State: Ensure the
dk-pricr-responsive-pricing-tableplugin is active. - Content: Create at least one
rpt_pricing_tablepost to obtain a validpost_ID.
7. Expected Results
- Upon saving, the request should return a
302 Redirector a success JSON response. - Upon viewing the pricing table, the HTML source should contain
<b id="xss-verify">STAG_XSS_TEST</b>instead of the literal string. - The
"and>characters should break out of the intended HTML attribute or tag context.
8. Verification Steps
- Database Check: Use WP-CLI to verify the stored value:
wp post meta get [POST_ID] table_currency - DOM Verification: Use
browser_evalto check for the existence of the injected element:browser_eval("document.getElementById('xss-verify') !== null")
9. Alternative Approaches
- Payload Variation: If the application filters certain tags, try an attribute-based injection:
curr" onmouseover="console.log(1)" data-x=" - Endpoint Variation: Check if the plugin uses a custom AJAX save action (e.g.,
action=rpt_save_settings) by monitoring network traffic during a manual save in the WordPress admin.
Summary
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in versions up to and including 5.1.12. This is due to the plugin failing to sanitize input when saving pricing table metadata and failing to escape the value when rendering it on the frontend or admin dashboard.
Exploit Outline
An authenticated attacker with at least Contributor-level access can exploit this by editing or creating a pricing table (custom post type 'rpt_pricing_table'). By submitting a POST request to '/wp-admin/post.php' with the 'action' set to 'editpost' and the 'table_currency' parameter containing an XSS payload (e.g., '"\><script\>alert(document.cookie)</script\>'), the payload is stored in the database. The script will execute whenever a user views a page containing the [rpt] shortcode or accesses the pricing table settings in the admin area.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.