CVE-2025-0862
📋 TL;DR
This stored XSS vulnerability in the SuperSaaS WordPress plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts via the 'after' parameter. The scripts execute in Chromium-based browsers when users view compromised pages. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- SuperSaaS – online appointment scheduling plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or perform actions as authenticated users.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal session cookies or display unwanted content to visitors.
If Mitigated
With proper input validation and output escaping, no script execution occurs, limiting impact to data display issues.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.13 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3235242/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find SuperSaaS plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.1.13+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Remove Contributor Role Access
allTemporarily restrict Contributor role users from accessing the site until patching.
Content Security Policy
allImplement strict CSP headers to mitigate XSS impact.
Header set Content-Security-Policy "default-src 'self'; script-src 'self'" in .htaccess or server config
🧯 If You Can't Patch
- Disable the SuperSaaS plugin entirely until patching is possible
- Implement web application firewall rules to block malicious 'after' parameter payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → SuperSaaS version. If version is 2.1.12 or lower, you are vulnerable.Check Version:
wp plugin list --name=supersaas --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify plugin version shows 2.1.13 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with 'after' parameter containing script tags
- Multiple failed login attempts followed by successful Contributor-level login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript payloads in HTTP requests
SIEM Query:
source="wordpress.log" AND "after=" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/supersaas-appointment-scheduling/tags/2.1.12/includes/shortcode.php#L15
- https://plugins.trac.wordpress.org/browser/supersaas-appointment-scheduling/tags/2.1.12/includes/shortcode.php#L31
- https://plugins.trac.wordpress.org/changeset/3235242/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8698255b-6c03-464b-8cb5-191d3e77009f?source=cve
