CVE-2025-9333
📋 TL;DR
The Smart Docs WordPress plugin is vulnerable to stored cross-site scripting (XSS) in admin settings. Authenticated attackers with administrator privileges can inject malicious scripts that execute when users view affected pages. This only impacts WordPress multi-site installations or sites where unfiltered_html capability is disabled.
💻 Affected Systems
- Smart Docs WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to complete site takeover, data theft, or malware distribution to visitors.
Likely Case
Session hijacking, credential theft, or defacement of admin pages by malicious administrators.
If Mitigated
Limited impact due to requirement for administrator credentials and specific WordPress configurations.
🎯 Exploit Status
Requires administrator-level WordPress credentials and specific WordPress configuration conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.2 or later
Vendor Advisory: https://wordpress.org/plugins/smart-docs/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Smart Docs plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository.
🔧 Temporary Workarounds
Disable Smart Docs Plugin
allTemporarily disable the vulnerable plugin until patched version is available
wp plugin deactivate smart-docs
Enable unfiltered_html for Administrators
allEnable unfiltered_html capability for administrator users (single-site only workaround)
Add define('DISALLOW_UNFILTERED_HTML', false); to wp-config.php
🧯 If You Can't Patch
- Remove administrator access from untrusted users
- Implement web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Smart Docs version. If version is 1.1.1 or earlier, system is vulnerable.Check Version:
wp plugin get smart-docs --field=versionVerify Fix Applied:
Verify Smart Docs plugin version is 1.1.2 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual admin user activity modifying plugin settings
- JavaScript payloads in WordPress admin POST requests
Network Indicators:
- Suspicious JavaScript in HTTP responses from WordPress admin pages
SIEM Query:
source="wordpress" AND (plugin="smart-docs" OR uri="/wp-admin/admin.php?page=smart-docs") AND (method="POST" OR status=200) AND (payload LIKE "%<script>%" OR payload LIKE "%javascript:%")