CVE-2025-15058

Responsive Pricing Table <= 5.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency'

mediumImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
5.1.13
Patched in
7d
Time to patch

Description

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.1.12
PublishedJanuary 6, 2026
Last updatedJanuary 13, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the methodology for analyzing and verifying CVE-2025-15058, a Stored Cross-Site Scripting (XSS) vulnerability in the "Responsive Pricing Table" plugin. This plan is designed for execution by an automated security agent in a controlled, isolated environment. ### 1. Vulner…

Show full research plan

This research plan outlines the methodology for analyzing and verifying CVE-2025-15058, a Stored Cross-Site Scripting (XSS) vulnerability in the "Responsive Pricing Table" plugin. This plan is designed for execution by an automated security agent in a controlled, isolated environment.

1. Vulnerability Summary

  • ID: CVE-2025-15058
  • Vulnerability Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Stored XSS)
  • Affected Parameter: table_currency
  • Requirement: Authenticated (Contributor+)
  • Root Cause: The plugin fails to sanitize the table_currency field when saving pricing table settings and subsequently fails to escape the value when rendering the pricing table on the frontend or in the admin dashboard.

2. Attack Vector Analysis

  • Target Endpoint: /wp-admin/post.php (for updating Pricing Table custom post types) or potentially a dedicated AJAX handler.
  • Custom Post Type: rpt_pricing_table (inferred from plugin slug dk-pricr-responsive-pricing-table).
  • Action: editpost (standard WP) or a plugin-specific saving action.
  • Vulnerable Parameter: table_currency.
  • Preconditions: The attacker must have at least Contributor-level access to create or edit pricing tables.

3. Code Flow (Inferred)

  1. Entry Point: The user submits a POST request to save a pricing table. The request includes the table_currency parameter.
  2. Processing (Source): The plugin catches the save event (likely via a save_post hook or an AJAX action).
  3. Storage: The plugin retrieves $_POST['table_currency'] and stores it in the database using update_post_meta() without applying sanitize_text_field() or wp_kses().
  4. Retrieval: When a user visits a page containing the pricing table shortcode (e.g., [rpt name="..."]), the plugin calls get_post_meta() to retrieve the currency value.
  5. Output (Sink): The retrieved value is echoed directly into the HTML output (likely within a <span> or <div> tag) without using esc_html() or esc_attr(), allowing injected HTML/JavaScript to execute.

4. Nonce Acquisition Strategy

To interact with the pricing table settings, a WordPress nonce is required.

  1. Shortcode Identification: The primary shortcode for this plugin is [rpt].
  2. Setup: Create a test page containing the shortcode:
    wp post create --post_type=page --post_status=publish --post_title="Pricing Test" --post_content='[rpt name="test-table"]'
  3. Navigation: Use browser_navigate to view the newly created page.
  4. Extraction: The plugin likely localizes scripts for the frontend or admin editor. Check for common localization objects:
    • browser_eval("window.rpt_ajax?.nonce") (inferred)
    • browser_eval("window.rpt_params?.nonce") (inferred)
  5. Admin Context: If exploiting via the admin dashboard, the _wpnonce found in the post-new.php?post_type=rpt_pricing_table page source should be used for the post.php request.

5. Exploitation Strategy

The goal is to demonstrate that the table_currency field can store and execute arbitrary HTML/JavaScript.

Step 1: Create a Pricing Table

  • Endpoint: /wp-admin/post.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • action: editpost
    • post_ID: [POST_ID]
    • _wpnonce: [EXTRACTED_NONCE]
    • table_currency: "><b id="xss-verify">STAG_XSS_TEST</b> (Using a benign HTML tag to verify injection)

Step 2: Trigger the Payload

  • Navigate to the frontend page where the [rpt] shortcode is deployed.
  • Alternatively, view the "All Pricing Tables" list in the WordPress admin if the currency is reflected there.

6. Test Data Setup

  1. User: Create a user with the contributor role.
  2. Plugin State: Ensure the dk-pricr-responsive-pricing-table plugin is active.
  3. Content: Create at least one rpt_pricing_table post to obtain a valid post_ID.

7. Expected Results

  • Upon saving, the request should return a 302 Redirect or a success JSON response.
  • Upon viewing the pricing table, the HTML source should contain <b id="xss-verify">STAG_XSS_TEST</b> instead of the literal string.
  • The " and > characters should break out of the intended HTML attribute or tag context.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify the stored value:
    wp post meta get [POST_ID] table_currency
  2. DOM Verification: Use browser_eval to check for the existence of the injected element:
    browser_eval("document.getElementById('xss-verify') !== null")

9. Alternative Approaches

  • Payload Variation: If the application filters certain tags, try an attribute-based injection: curr" onmouseover="console.log(1)" data-x="
  • Endpoint Variation: Check if the plugin uses a custom AJAX save action (e.g., action=rpt_save_settings) by monitoring network traffic during a manual save in the WordPress admin.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in versions up to and including 5.1.12. This is due to the plugin failing to sanitize input when saving pricing table metadata and failing to escape the value when rendering it on the frontend or admin dashboard.

Exploit Outline

An authenticated attacker with at least Contributor-level access can exploit this by editing or creating a pricing table (custom post type 'rpt_pricing_table'). By submitting a POST request to '/wp-admin/post.php' with the 'action' set to 'editpost' and the 'table_currency' parameter containing an XSS payload (e.g., '"\><script\>alert(document.cookie)</script\>'), the payload is stored in the database. The script will execute whenever a user views a page containing the [rpt] shortcode or accesses the pricing table settings in the admin area.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.