CVE-2025-57926 PoC — WordPress Passster Plugin <= 4.2.18 - Cross Site Scripting (XSS) Vulnerability

Source

https://github.com/quetuan03/CVE-2025-57926

Associated Vulnerability

Title:WordPress Passster Plugin <= 4.2.18 - Cross Site Scripting (XSS) Vulnerability (CVE-2025-57926)
Description:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Passster content-protector allows Stored XSS.This issue affects Passster: from n/a through <= 4.2.18.

Description

WordPress Passster Plugin <= 4.2.18 is vulnerable to Cross Site Scripting (XSS)

Readme

Sink: According to the mechanism of WordPress Core, XSS is prevented in post content, but with this plugin, the content is encoded and then decoded when rendered, unintentionally creating an XSS vulnerability."
<img width="1263" height="710" alt="image" src="https://github.com/user-attachments/assets/09e7c151-a688-4f72-b053-782b950412f5" />
<img width="1411" height="711" alt="image" src="https://github.com/user-attachments/assets/174e9605-a4bb-4915-8ca6-2ce41443dfde" />

PoC: The base64 encoded payload <script>alert(1)</script> is PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
<img width="1848" height="846" alt="image" src="https://github.com/user-attachments/assets/8887508a-9ffb-472c-9c57-8a4af9a82527" />
<img width="1844" height="953" alt="image" src="https://github.com/user-attachments/assets/848d754d-96dc-4436-91cf-f5a3cccd91ba" />

File Snapshot


 [4.0K]  /data/pocs/e0b0f9950321d5c42bf2b4155a79f081723fff63
└── [ 840]  README.md

1 directory, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!