Atomic Edge analysis of CVE-2025-12037:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the WP 404 Auto Redirect to Similar Post WordPress plugin. The vulnerability affects the plugin’s admin settings component, allowing attackers with administrator-level permissions to inject arbitrary scripts. The CVSS score of 4.4 reflects a medium severity impact, contingent on a multi-site installation or a configuration where the `unfiltered_html` capability is disabled.
Atomic Edge research identifies the root cause as insufficient input sanitization for the plugin’s settings. The vulnerable code resides in the `sanitize_setting` function within `/wp-404-auto-redirect-to-similar-post/includes/admin.php`. Prior to patching, this function only sanitized the `fallback[‘url’]` parameter. The `priority` setting, which is a user-controlled integer field in the plugin’s admin panel, lacked any sanitization or type casting before being saved to the WordPress options database. This missing validation allowed non-integer values, including malicious scripts, to be stored.
The exploitation method requires an attacker to have administrator-level access to the WordPress backend. The attacker navigates to the plugin’s settings page, typically found at `/wp-admin/options-general.php?page=wp-404-auto-redirect`. They then submit a crafted payload within the ‘Priority’ field. A payload like `alert(document.domain)` would be submitted via a POST request to the `options.php` endpoint. Because the `priority` value was not sanitized, the script is stored in the database. The script executes in the browser of any administrator who later visits the plugin’s settings page, where the unsanitized value is echoed back.
The patch, implemented in version 1.0.6, addresses the issue by adding explicit integer type casting for the `priority` setting in two locations. In `/wp-404-auto-redirect-to-similar-post/class/class-settings.php` at line 82, the patch adds `$settings[‘priority’] = (int) $settings[‘priority’];`. In `/wp-404-auto-redirect-to-similar-post/includes/admin.php` at line 67, the patch adds an identical line within the `sanitize_setting` function. This dual-layer enforcement ensures any non-integer input, including HTML or script tags, is converted to an integer (typically 0) before storage and before use, neutralizing the XSS payload.
Successful exploitation leads to stored cross-site scripting. An attacker with admin access can inject malicious JavaScript that executes in the context of any other administrator viewing the plugin settings. This can lead to session hijacking, site defacement, or the creation of new administrative accounts. The impact is limited to the WordPress admin area and requires specific site configurations, but it represents a significant risk for privilege persistence and lateral movement within a compromised admin panel.
--- a/wp-404-auto-redirect-to-similar-post/class/class-settings.php
+++ b/wp-404-auto-redirect-to-similar-post/class/class-settings.php
@@ -79,6 +79,9 @@
// Esc Fallback
$settings['fallback']['url'] = esc_url($settings['fallback']['url']);
+ // Esc Priority
+ $settings['priority'] = (int) $settings['priority'];
+
// Headers
if(((int)$settings['method'] != 301) && ((int)$settings['method'] != 302)){
$settings['method'] = 301;
--- a/wp-404-auto-redirect-to-similar-post/includes/admin.php
+++ b/wp-404-auto-redirect-to-similar-post/includes/admin.php
@@ -64,6 +64,7 @@
function sanitize_setting($settings){
$settings['fallback']['url'] = sanitize_url($settings['fallback']['url']);
+ $settings['priority'] = (int) $settings['priority'];
return $settings;
--- a/wp-404-auto-redirect-to-similar-post/wp-404-auto-redirect-similar-post.php
+++ b/wp-404-auto-redirect-to-similar-post/wp-404-auto-redirect-similar-post.php
@@ -2,7 +2,7 @@
/**
* Plugin Name: WP 404 Auto Redirect to Similar Post
* Description: Automatically Redirect any 404 page to a Similar Post based on the Title, Post Type & Taxonomy using 301 Redirects!
- * Version: 1.0.5
+ * Version: 1.0.6
* Author: hwk-fr
* Author URI: https://hwk.fr
* Text Domain: wp-404-auto-redirect
@@ -36,6 +36,19 @@
Use WP_404_Auto_Redirect_Ajax;
Use WP_404_Auto_Redirect_Debug;
+ var $engines;
+ var $groups;
+ var $search;
+ var $settings;
+
+
+ /**
+ * construct
+ */
+ function __construct(){
+ // ...
+ }
+
/**
* init
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12037 - WP 404 Auto Redirect <= 1.0.5 - Authenticated (Admin+) Stored Cross-Site Scripting
<?php
// CONFIGURATION
$target_url = 'http://vulnerable-site.local/wp-admin/'; // Base WordPress admin URL
$username = 'admin'; // Administrator username
$password = 'password'; // Administrator password
$payload = '<script>alert("Atomic Edge XSS Test: "+document.domain)</script>'; // XSS payload for the priority field
// Initialize cURL session for cookie handling
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// STEP 1: Authenticate to WordPress
$login_url = $target_url . 'admin-ajax.php';
$login_data = http_build_query([
'action' => 'myplugin_login', // This is a placeholder; real login requires nonce and wp-login.php
]);
// Note: A real PoC would need to handle the WordPress login flow via wp-login.php and nonce.
// This script skeleton demonstrates the attack vector but cannot execute without full auth handling.
echo "[!] Full authentication flow required for a working PoC. This script is a demonstration of the exploit vector.n";
echo "[+] Target: " . $target_url . "n";
echo "[+] Vulnerability: Stored XSS in 'priority' setting of WP 404 Auto Redirect plugin.n";
echo "[+] Attack Vector: POST to options.php with malicious payload in 'wp_404_auto_redirect[priority]' parameter.n";
echo "[+] Payload: " . $payload . "n";
// The actual exploit would involve:
// 1. Logging in via wp-login.php to obtain session cookies and nonce.
// 2. Loading the plugin settings page to get the settings nonce (_wpnonce).
// 3. Sending a POST request to /wp-admin/options.php with these parameters:
// - option_page: 'wp_404_auto_redirect'
// - action: 'update'
// - _wpnonce: [nonce from settings page]
// - _wp_http_referer: [referer]
// - wp_404_auto_redirect[priority]: PAYLOAD
// - wp_404_auto_redirect[method]: '301'
// - wp_404_auto_redirect[fallback][url]: 'http://example.com'
// - ... other required settings fields.
// 4. The payload would be stored and execute when an admin views the settings page.
curl_close($ch);
?>
