CVE-2025-66094

Yada Wiki <= 3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.6
Patched in
7d
Time to patch

Description

The Yada Wiki plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.5
PublishedDecember 30, 2025
Last updatedJanuary 5, 2026
Affected pluginyada-wiki

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the **Yada Wiki** plugin (<= 3.5). The vulnerability allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into pages via unsanitized input, likely within shortcode attribute…

Show full research plan

This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the Yada Wiki plugin (<= 3.5). The vulnerability allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into pages via unsanitized input, likely within shortcode attributes or post metadata associated with the Wiki functionality.


1. Vulnerability Summary

  • Vulnerability: Stored Cross-Site Scripting (XSS)
  • Location: Likely within shortcode processing functions (e.g., yadawikilink, yadawikitoc) or custom post meta handling for the yada_wiki post type.
  • Cause: The plugin fails to use context-aware escaping (like esc_attr() or esc_html()) when rendering user-provided attributes from shortcodes or meta fields.
  • Impact: A Contributor can create a wiki page containing a malicious payload. When an Administrator views this page, the script executes, potentially allowing for session hijacking, administrative user creation, or site takeover.

2. Attack Vector Analysis

  • Endpoint: wp-admin/post.php (standard post saving) or wp-admin/admin-ajax.php (autosave).
  • Authentication: Contributor-level (or higher) authenticated session.
  • Payload Carrier: Shortcode attributes within the post_content or specific custom fields (post meta) associated with the yada_wiki post type.
  • Preconditions: The Yada Wiki plugin must be active, and the attacker must have permission to create or edit yada_wiki posts (standard for Contributors in this plugin's context).

3. Code Flow (Inferred)

  1. Entry Point: A Contributor submits a new yada_wiki post via the WordPress block editor or classic editor.
  2. Storage: The post_content containing a shortcode (e.g., [yadawikilink show="PAYLOAD"]) is saved to the wp_posts table.
  3. Rendering (Sink):
    • A user (e.g., Admin) visits the published wiki page.
    • WordPress parses the content and identifies the Yada Wiki shortcode.
    • The plugin's callback function (e.g., yada_wiki_link_shortcode) is invoked.
    • Inside the callback, the $atts['show'] (or similar attribute) is echoed or returned as part of an HTML string without being wrapped in esc_attr() or esc_html().
    • The browser renders the unsanitized HTML, executing the payload.

4. Nonce Acquisition Strategy

Since this is a Stored XSS via the standard post-creation flow, the primary nonce required is the _wpnonce found in the post-editor page.

  1. Identify the Post Type: The plugin uses yada_wiki.
  2. Navigate to Editor: Use browser_navigate to go to /wp-admin/post-new.php?post_type=yada_wiki.
  3. Extract Nonce:
    • The nonce is typically in an input field: id="_wpnonce".
    • Use browser_eval to get the value:
      document.querySelector('#_wpnonce').value
      
  4. Extract Post ID: Get the post_ID from the hidden input or the URL to ensure the subsequent POST request targets the correct draft.

5. Exploitation Strategy

Step 1: Authentication

Log in as a Contributor.

Step 2: Payload Injection

Submit a POST request to wp-admin/post.php to save a post containing the malicious shortcode.

  • URL: http://localhost:8080/wp-admin/post.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • action: editpost
    • post_type: yada_wiki
    • post_ID: [TARGET_POST_ID]
    • _wpnonce: [EXTRACTED_NONCE]
    • post_title: XSS Test Page
    • content: [yadawikilink show="<img src=x onerror=alert(document.cookie)>" link="Home"]
    • publish: Publish

Step 3: Triggering

The payload is now stored. Navigate an Administrator to the permalink of the newly created wiki page.

6. Test Data Setup

  1. Users:
    • Create an Administrator: wp user create admin admin@example.com --role=administrator --user_pass=password
    • Create a Contributor: wp user create attacker attacker@example.com --role=contributor --user_pass=password
  2. Plugin:
    • Install and activate Yada Wiki 3.5.
  3. Content:
    • No existing content is strictly required, but having at least one other page to "link" to in the shortcode is helpful for realistic testing.

7. Expected Results

  • Storage: The wp_posts table should contain the raw shortcode with the payload in the post_content column.
  • Execution: When the page is rendered, the HTML output should look like:
    <a class="..." href="..."> <img src=x onerror=alert(document.cookie)> </a>
  • Observation: An alert box displaying the session cookie should appear in the browser when viewed by any user.

8. Verification Steps

  1. Database Check:
    wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Test Page'"
    
    Confirm the payload is present.
  2. Source Check:
    Use http_request as an Administrator to fetch the page and grep for the payload:
    # (Pseudocode for agent)
    # response = http_request(url=wiki_page_url)
    # if "<img src=x onerror=" in response.body: SUCCESS
    

9. Alternative Approaches

If the [yadawikilink] shortcode is not the sink, investigate other shortcodes registered by the plugin:

  • [yadawikitoc] - Check for title or category attribute injection.
  • [yadawikihost] - Check for show or category attribute injection.

Grep for Shortcodes:

grep -r "add_shortcode" /var/www/html/wp-content/plugins/yada-wiki/

Analyze Shortcode Handlers:
Check the callback functions found in the grep results. Look for variables being appended to the $output string without esc_ functions. Common vulnerable pattern:

$output .= '<div class="yada-wiki-toc">' . $atts['title'] . '</div>'; // VULNERABLE

Correct pattern:

$output .= '<div class="yada-wiki-toc">' . esc_html($atts['title']) . '</div>'; // SECURE
Research Findings
Static analysis — not yet PoC-verified

Summary

The Yada Wiki plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in versions up to 3.5. Authenticated attackers with Contributor-level permissions can inject malicious scripts into wiki pages that execute when viewed by other users, potentially leading to administrative session takeover.

Vulnerable Code

// Inferred from plugin shortcode handling patterns in versions <= 3.5
function yada_wiki_link_shortcode($atts) {
    $atts = shortcode_atts(array(
        'show' => '',
        'link' => '',
    ), $atts);

    // ... (logic to determine link URL)

    $output = '<a class="yada-wiki-link" href="' . $link_url . '">' . $atts['show'] . '</a>';
    return $output;
}

---

// Inferred from yada-wiki-toc handling
$output .= '<div class="yada-wiki-toc-title">' . $atts['title'] . '</div>';

Security Fix

--- yada-wiki.php
+++ yada-wiki.php
@@ -142,7 +142,7 @@
-    $output = '<a class="yada-wiki-link" href="' . $link_url . '">' . $atts['show'] . '</a>';
+    $output = '<a class="yada-wiki-link" href="' . esc_url($link_url) . '">' . esc_html($atts['show']) . '</a>';
 
--- yada-wiki-toc.php
+++ yada-wiki-toc.php
@@ -85,5 +85,5 @@
-    $output .= '<div class="yada-wiki-toc-title">' . $atts['title'] . '</div>';
+    $output .= '<div class="yada-wiki-toc-title">' . esc_html($atts['title']) . '</div>';

Exploit Outline

An authenticated attacker with Contributor permissions logs into the WordPress dashboard and creates or edits a 'yada_wiki' post. The attacker embeds a shortcode such as [yadawikilink show="<img src=x onerror=alert(document.cookie)>"] or [yadawikitoc title="<script>alert(1)</script>"]. When an Administrator or any other user views the published wiki page, the plugin renders the shortcode attributes directly into the HTML without escaping, resulting in script execution in the victim's browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.