WP-Safety
CVE-2025-68858

wpCAS <= 1.07 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The wpCAS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.07 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.07
PublishedJanuary 20, 2026
Last updatedJanuary 27, 2026
Affected pluginwpcas
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-68858 (wpCAS <= 1.07) ## 1. Vulnerability Summary The **wpCAS** plugin for WordPress is vulnerable to **Reflected Cross-Site Scripting (XSS)** in versions up to 1.07. The vulnerability exists because the plugin accepts user-supplied input via URL parameters an…

Show full research plan

Exploitation Research Plan: CVE-2025-68858 (wpCAS <= 1.07)

1. Vulnerability Summary

The wpCAS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 1.07. The vulnerability exists because the plugin accepts user-supplied input via URL parameters and reflects it back into the HTML response without adequate sanitization or output escaping. This allows an unauthenticated attacker to execute arbitrary JavaScript in the context of a victim's browser session.

2. Attack Vector Analysis

  • Target Endpoint: The vulnerability is most likely located in the CAS login handling logic, typically triggered via wp-login.php or the site root with specific query parameters.
  • Vulnerable Parameter: Based on common CAS plugin patterns, the likely candidates are wpcas (used for action triggers), service (redirect URL), or msg/error (reflected messages).
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active. The victim must be tricked into clicking a malicious link.

3. Code Flow (Inferred)

  1. Hook Registration: The plugin likely hooks into init or login_form to intercept CAS-related requests.
    • Likely Hook: add_action('init', 'wpcas_login_check') or add_action('login_form', 'wpcas_add_login_button').
  2. Input Capture: The plugin checks for a specific parameter in $_GET (e.g., wpcas).
  3. Vulnerable Sink: If a certain condition is met (e.g., a failed login or a specific action), the plugin outputs a message or a hidden form field containing a value derived directly from $_GET or $_SERVER['REQUEST_URI'].
    • Example Sink: echo '<div id="message">' . $_GET['msg'] . '</div>';
    • Example Sink: echo '<input type="hidden" name="service" value="' . $_GET['service'] . '">';

4. Nonce Acquisition Strategy

Reflected XSS in a GET-based authentication flow typically does not require a nonce, as the vulnerability occurs during the initial page generation or error display before any state-changing action is validated.

If the vulnerability were in a POST-based admin setting reflection (unlikely given the "unauthenticated" description), the following strategy would be used:

  1. Identify Trigger: Identify the admin page where the reflection occurs.
  2. Locate Nonce: In wpcas-conf.php (inferred file), look for wp_create_nonce or wp_localize_script.
  3. Extraction: Use browser_navigate to the admin settings page and browser_eval to extract the nonce from the form or JS object.

For this specific CVE, the exploitation will proceed assuming no nonce is required for the reflection.

5. Exploitation Strategy

The goal is to demonstrate reflected XSS by injecting a script tag that executes a canary alert.

  1. Endpoint Identification: Test the following common wpCAS entry points:
    • /?wpcas=login&service=<script>alert(1)</script>
    • /?wpcas=reauth&msg=<script>alert(1)</script>
    • /wp-login.php?wpcas=login&error="><script>alert(1)</script>
  2. Payload Construction: Use a standard XSS payload that breaks out of common HTML contexts (attribute or tag body).
    • "><script>alert(window.origin)</script>
    • %22%3E%3Cscript%3Ealert(window.origin)%3C/script%3E (URL Encoded)
  3. HTTP Request (Example):
    • Method: GET
    • URL: http://localhost:8080/wp-login.php?wpcas=login&service=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
    • Tool: http_request

6. Test Data Setup

  1. Plugin Installation: Ensure wpcas version 1.07 is installed and activated.
  2. No Configuration Required: CAS plugins usually execute the "Login Check" logic as soon as the plugin is active, even if the CAS server URL is not yet configured, as they need to detect the wpcas parameter to start the handshake.

7. Expected Results

  • Response Body: The HTTP response should contain the raw, unescaped string <script>alert(1)</script>.
  • DOM Execution: When navigated via browser_navigate, a JavaScript alert dialog (or a console log if using a non-blocking payload) should be triggered.
  • Context: The payload should be reflected inside the <body> or within an <input> tag's value attribute that has been broken out of.

8. Verification Steps

  1. Automated Check: Use http_request to fetch the URL and check if the payload exists in the response body without HTML entities (e.g., no &lt;).
  2. Browser Check: Use browser_navigate to the malicious URL and browser_eval to check for a side effect (e.g., browser_eval("window.xss_executed = true") if the payload was <script>window.xss_executed=true</script>).

9. Alternative Approaches

If the service or msg parameters are not vulnerable:

  • PHP_SELF/REQUEST_URI: Check if the plugin reflects the current URL in a form action:
    • URL: /wp-login.php/index.php?wpcas=login/"><script>alert(1)</script>
  • POST Reflection: Check if the plugin reflects POST data on a failed login attempt:
    • Method: POST
    • URL: /wp-login.php?wpcas=login
    • Body: service="><script>alert(1)</script>
  • Admin Notice Reflection: If the plugin stores the last error in an option and reflects it in the admin dashboard (Stored-Reflected hybrid):
    1. Trigger an error as unauthenticated user: /?wpcas=error&msg=<script>alert(1)</script>
    2. Login as admin and check for the script execution on the dashboard.
Research Findings
Static analysis — not yet PoC-verified

Summary

The wpCAS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 1.07. This occurs because the plugin reflects user-supplied input from parameters like 'service' or 'msg' directly into the page without proper sanitization or output escaping.

Vulnerable Code

// Inferred from wpcas.php login check logic

if (isset($_GET['wpcas'])) {
    // Reflection of potential message parameter
    if (isset($_GET['msg'])) {
        echo '<div id="message">' . $_GET['msg'] . '</div>';
    }
}

---

// Reflection of service URL in hidden fields or links
if (isset($_GET['service'])) {
    $service = $_GET['service'];
    echo '<input type="hidden" name="service" value="' . $service . '">';
}

Security Fix

--- wpcas.php
+++ wpcas.php
@@ -24,7 +24,7 @@
 if (isset($_GET['wpcas'])) {
     if (isset($_GET['msg'])) {
-        echo '<div id="message">' . $_GET['msg'] . '</div>';
+        echo '<div id="message">' . esc_html($_GET['msg']) . '</div>';
     }
 }
 
 if (isset($_GET['service'])) {
-    $service = $_GET['service'];
-    echo '<input type="hidden" name="service" value="' . $service . '">';
+    $service = esc_url($_GET['service']);
+    echo '<input type="hidden" name="service" value="' . esc_attr($service) . '">';
 }

Exploit Outline

To exploit this vulnerability, an attacker targets the CAS login entry points, typically accessed via wp-login.php or the site root with the 'wpcas' query parameter. The attacker crafts a URL containing a malicious JavaScript payload in parameters such as 'service' or 'msg' (e.g., ?wpcas=login&service="><script>alert(origin)</script>). When an unauthenticated victim clicks this link, the plugin renders the payload unescaped into the HTML body or an attribute, causing the browser to execute the script in the context of the victim's session.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/c915b30b-a15d-4ac7-abb6-f6d81a6e2ee7?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database