WPeMatico RSS Feed Fetcher < 2.8.13 – Contributor+ Stored XSS | CVE 2025-13031

Description

The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

There are two XSS issues.

First:

1) Login as a Contributor user to WP Admin.
2) Click WPeMatico tab and select "Add New Campaign".
3) Put any title for the campaign. Add an arbitrary RSS feed to the "Feeds for this campaign" section, such as CNN (http://rss.cnn.com/rss/cnn_topstories.rss).
4) Scroll down to "Post Template" and tick "Use custom posts template".
5) Paste the following XSS payload into the custom post template textbox: </textarea><script>alert(document.cookie)</script>
6) Click "Submit for review" on the right pane of the campaign.
7) XSS should trigger immediately on submission.
8) Login as Superadmin, click WPeMatico » All Campaigns and click on the newly created campaign and notice XSS execution.

Second:

1) As Superadmin go to WPeMatico -> Settings.
2) Tick the 'Enable "Rewrite" feature' checkbox.
3) Login as a contributor user to the wp-admin dashboard.
4) Click WPeMatico tab and select "Add New Campaign".
5) Put any title for the campaign. Add an arbitrary RSS feed to the "Feeds for this campaign" section, such as CNN (http://rss.cnn.com/rss/cnn_topstories.rss).
6) Scroll down to "Rewrite Options".
7) Put the XSS payload into either of the first 2 textboxes: </textarea><script>alert(document.cookie)</script>
8) Click "Submit for review" on the right pane of the campaign.
7) XSS should trigger immediately on submission.
8) Login as Superadmin, click WPeMatico » All Campaigns and click on the newly created campaign and notice XSS execution.