– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-68852:
The Court Reservation WordPress plugin version 1.10.8 and earlier contains a reflected cross-site scripting (XSS) vulnerability. This vulnerability affects multiple administrative interface components, allowing unauthenticated attackers to inject malicious scripts. The CVSS score of 6.1 reflects the medium severity of this client-side security issue.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping across multiple form submission endpoints. The vulnerable code paths include courtres-challenges.php line 31, courtres-court.php line 61, courtres-emailtemplate.php line 22, courtres-event.php line 78, courtres-events.php line 15, courtres-reservations.php line 23, courtres-settings.php line 21, and courtres-ui.php line 22. Each endpoint processes POST parameters without proper nonce verification, enabling attackers to craft malicious requests that reflect unsanitized user input back to administrators.

Exploitation requires an attacker to trick an authenticated administrator into clicking a malicious link or visiting a crafted page. The attack vector uses the plugin’s administrative endpoints with injected JavaScript payloads in POST parameters. For example, an attacker could target /wp-admin/admin.php?page=courtres-challenges with a POST request containing malicious script tags in parameters like ‘id’ or ‘delete’. The payload executes in the administrator’s browser context when the page processes the unsanitized input.

The patch adds WordPress nonce verification to all vulnerable endpoints. In courtres-challenges.php line 31-41, the code now checks for courtres_delete_challenge_nonce before processing deletion requests. Similar nonce checks appear in courtres-court.php lines 61-71 and 74-84, courtres-emailtemplate.php lines 22-32, courtres-event.php lines 78-88 and 124-134, courtres-events.php lines 16-26, courtres-reservations.php lines 33-43, courtres-settings.php lines 22-32 and 39-49, and courtres-ui.php lines 22-32. The patch also adds nonce fields to corresponding forms, such as the wp_nonce_field call in courtres-challenges.php line 72.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an authenticated administrator’s session. This can lead to session hijacking, administrative account compromise, site defacement, or injection of backdoors. The vulnerability affects the plugin’s administrative interface, giving attackers potential control over the reservation system and broader WordPress installation if administrative privileges are obtained.