– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-68501:
This vulnerability is a reflected cross-site scripting (XSS) flaw in the Mollie Payments for WooCommerce WordPress plugin. The vulnerability affects versions up to and including 8.1.1. It allows unauthenticated attackers to inject arbitrary web scripts via a crafted link. The CVSS score of 6.1 indicates a medium severity issue.

The root cause is insufficient output escaping of a user-controlled URL parameter. The vulnerable code resides in the `refreshStatusField()` method within the `ConnectionStatusFields.php` file. In version 8.1.1, the function constructs a `$refreshUrl` by calling `add_query_arg()` with a nonce and a query parameter. This URL is then directly concatenated into an HTML anchor tag’s `href` attribute without proper escaping. The specific line of code is: `’value’ => ‘‘ . __(‘Refresh Mollie payment methods’, ‘mollie-payments-for-woocommerce’) . ‘‘`.

Exploitation requires an attacker to craft a malicious URL containing a JavaScript payload within the `refreshUrl` parameter. The attacker would trick an authenticated WordPress administrator into clicking a link that points to the plugin’s settings page. The payload would execute in the victim’s browser context when the page loads and the unescaped URL is rendered within the anchor tag. The attack vector is a reflected XSS via a GET request parameter.

The patch in version 8.1.2 addresses the vulnerability by applying the `esc_url()` WordPress escaping function to the `$refreshUrl` variable before output. The diff shows the change on line 16 of `ConnectionStatusFields.php`: `’value’ => ‘‘ . __(‘Refresh Mollie payment methods’, ‘mollie-payments-for-woocommerce’) . ‘‘`. This function sanitizes the URL for safe output in HTML attributes, neutralizing any embedded JavaScript.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator’s session. This can lead to session hijacking, site defacement, or the creation of new administrative accounts. The impact is limited to the actions the victim user can perform, but given the target is likely an administrator, the consequences are severe.