search

CVE-2025-4957 Walkthrough

hashtag
CVE-2025-4957 – Reflected XSS in ProfileGrid WordPress Plugin (Unauthenticated)

hashtag
Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pm_get_messenger_notification’ function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a logged-in user into performing an action such as clicking on a link.

The vulnerable endpoint is: /wp-admin/admin-ajax.php?action=pm_get_messenger_notification&timestamp=1&activity=<vulnerable parameter>&tid=1

hashtag
Vulnerable snippet

// public/class-profile-magic-public.php
public function pm_get_messenger_notification() { // (1)
	$pmmessenger = new PM_Messenger();
	$timestamp   = filter_input( INPUT_GET, 'timestamp', FILTER_VALIDATE_INT );
	$activity    = filter_input( INPUT_GET, 'activity' );
	$tid         = filter_input( INPUT_GET, 'tid' );
	 if($tid!=0)
	 {
		$return     = $pmmessenger->pm_get_messenger_notification( $timestamp, $activity, $tid );
		echo $return;
	 }
	die;
}

Before diving into the code snippet above, let's first explain the functions involved.

  1. filter_input(<type>, '<variable name>') this function has 2 main parameters to be passed (we will be introduced to another one shortly),

    1. <type> One of the INPUT_* constants, in our case INPUT_GET this variable means that we will receive data from a get parameter.

    2. <variable name> in our context it means the get parameter name the we will parse the value from.

As shown in the code snippet above.

The function pm_get_messenger_notification uses the filter_input function to get the activity value and put it in the corresponding variable. The issue lies in the fact that this implementation the pm_get_messenger_notification function get the value with no filtering nor sanitization and pass them to pm_get_messenger_notification method of the $pmmessenger object (that's a different function) and I will explain what is the problem with that via the next code snippet.

as shown at (2), the function uses activity directly from the passed parameter and return it as in json response, so by passing an XSS payload to the endpoint triggering the pm_get_messenger_notification function at (1) it will pass with no filters to the method pm_get_messenger_notification and then be displayed in response, and because the Content-Type is declared as text/html for the response this would allow the XSS to be executed.

hashtag
Exploitation

After installing wordpress, with the target version of the plugin, XSS can be triggered via the following endpoing: http://vulnerable.word.press/wp-admin/admin-ajax.php?action=pm_get_messenger_notification&timestamp=1753214905&activity=<img%20src=x%20onerror=alert()>&tid=1 via the activity parameters.

PS: To have the payload reflected to you, you need to have an active session and some sort of activity going in the account (simple activity is someone to send you a message) then visit the URL, other than that the response would be 0

The is the normal response without XSS payload

And this is the response while passing <img src=x onerror=alert()> to the timestamp parameter /wp-admin/admin-ajax.php?action=pm_get_messenger_notification&timestamp=%3Cimg%20src=x%20onerror=alert()%3E&activity=ss&tid=4

hashtag
Patch Analysis

The vulnerability was patched in version 5.9.5.5 of the plugin. The developers addressed the issue by sanitizing the activity parameter using:

An additional preventive measure — which was not implemented — would have been to explicitly set the response content type to JSON:

This would instruct the browser to treat the response as pure JSON, thereby blocking script execution, even if malicious content slipped through. While the input sanitization fix neutralizes the attack, setting the correct Content-Type as application/json would further harden the response against XSS.

hashtag
References

PreviousCVE-2025-6977 WalkthroughNextAndroid

Last updated