CVE-2025-30902
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in the ATL Software SRL AEC Kiosque WordPress plugin allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects all versions up to and including 1.9.3. Attackers can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
💻 Affected Systems
- ATL Software SRL AEC Kiosque WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, install backdoors, deface websites, or steal sensitive user data.
Likely Case
Attackers will craft malicious links containing XSS payloads to steal user session cookies, potentially compromising user accounts with limited privileges.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before reaching users, preventing exploitation.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited through phishing emails or malicious links. No public proof-of-concept was found at the time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'AEC Kiosque' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.9.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate aec-kiosque
Web Application Firewall (WAF)
allConfigure WAF to block XSS payload patterns
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use browser security features like HttpOnly cookies and SameSite attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for AEC Kiosque version. If version is 1.9.3 or lower, system is vulnerable.Check Version:
wp plugin get aec-kiosque --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.9.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests containing script tags or JavaScript code to AEC Kiosque endpoints
- Multiple failed login attempts following suspicious URL visits
Network Indicators:
- HTTP requests with suspicious parameters containing <script>, javascript:, or encoded payloads
SIEM Query:
source="web_logs" AND (uri="*aec-kiosque*" AND (param="*<script>*" OR param="*javascript:*" OR param="*%3Cscript%3E*"))