– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-67978:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the Educare WordPress plugin, affecting versions up to and including 1.6.1. The vulnerability exists in multiple template files where user-supplied input is insufficiently sanitized before output, allowing attackers to inject arbitrary JavaScript. The CVSS score of 7.2 reflects the high impact of stored XSS that executes in the context of authenticated users.

Atomic Edge research identifies the root cause as missing output escaping in several template files. The vulnerable code fails to properly escape user-controlled data before rendering it in HTML attributes. Specifically, the `educare/templates/educare-default-display-data.php` file at lines 325, 610, 665, 667, and 669 outputs the `$search` variable and `$key` variable directly into `value`, `class`, and `data-bs-target` attributes without escaping. The `educare/templates/template-functions.php` file at lines 195, 728, 732, and 742 also directly outputs user-controlled `$value` and `$term` variables into `selected` attributes, `name` attributes, and `value` attributes without proper escaping.

Exploitation occurs through unauthenticated HTTP requests to public-facing Educare plugin endpoints that accept and store user input. Attackers can inject malicious JavaScript payloads into parameters like `search` or custom field values. These payloads persist in the database and execute whenever an administrator or other user views the affected page. The attack vector requires no authentication, making it accessible to any remote attacker.

The patch in version 1.6.2 adds proper output escaping using WordPress security functions. In `educare-default-display-data.php`, the code adds `esc_attr()` calls to escape the `$search` variable in line 325 and `strtolower($key)` outputs in lines 610, 665, 667, and 669. In `template-functions.php`, the patch adds `esc_attr()` to the `$value` parameter in the `selected()` function at line 195, and to `$term` and `$value` variables in hidden input fields at lines 728, 732, and 742. These changes ensure user input is properly encoded for HTML attribute contexts.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users, including administrators. This can lead to session hijacking, account takeover, content modification, and privilege escalation. Since the payloads are stored in the database, they affect all users who view the compromised pages, creating persistent compromise of the WordPress site.