CVE-2025-0311
📋 TL;DR
This stored XSS vulnerability in the Orbit Fox WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages via the Pricing Table widget. The scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable versions of the plugin are affected.
💻 Affected Systems
- Orbit Fox by ThemeIsle (WordPress plugin)
📦 What is this software?
Orbit Fox by Themeisle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies or credentials, potentially compromising user accounts.
If Mitigated
With proper user access controls and content security policies, impact is limited to isolated script execution without data exfiltration.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access but is technically simple once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.44 and later
Vendor Advisory: https://wordpress.org/plugins/themeisle-companion/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Orbit Fox by ThemeIsle. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Pricing Table Widget
allTemporarily disable the vulnerable widget until patching is possible
Navigate to WordPress admin > Elementor > Settings > Advanced > Disable Pricing Table widget
Restrict Contributor Access
allTemporarily remove contributor-level editing permissions
Use WordPress role editor plugins to modify capabilities
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution
- Regularly audit user accounts and remove unnecessary contributor-level access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins > Orbit Fox by ThemeIsle version numberCheck Version:
wp plugin list --name='themeisle-companion' --field=versionVerify Fix Applied:
Verify plugin version is 2.10.44 or higher and test Pricing Table widget functionality📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with pricing table parameters
- Multiple failed login attempts followed by contributor account access
Network Indicators:
- Unexpected script tags in Pricing Table widget responses
- External JavaScript loading from unusual domains
SIEM Query:
source="wordpress.log" AND ("pricing-table" OR "obfx_modules") AND ("script" OR "javascript" OR "onclick")🔗 References
- https://github.com/Codeinwp/themeisle-companion/commit/47a17c86934cebbfc3f1a812f1afcaa20515c1f7
- https://github.com/Codeinwp/themeisle-companion/commit/c311050b372cf38e82d8ec9deadf4f21a8931487
- https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/pricing-table.php#L1024
- https://plugins.trac.wordpress.org/changeset/3219568/
- https://wordpress.org/plugins/themeisle-companion/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9d17a3a0-3c09-4d67-96d6-d97bde92f100?source=cve
