CVE-2025-11238 Overview
CVE-2025-11238 is a stored Cross-Site Scripting (XSS) vulnerability in the Watu Quiz plugin for WordPress. The flaw affects all versions up to and including 3.4.4. It stems from insufficient input sanitization and output escaping of the HTTP Referer header when the "Save source URL" option is enabled. Unauthenticated attackers can inject arbitrary JavaScript that executes in the browser of any user viewing an affected page. The issue is tracked under CWE-79.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript that executes against site visitors and administrators, enabling session theft, account takeover, and arbitrary actions in the WordPress dashboard.
Affected Products
- Watu Quiz plugin for WordPress, versions <= 3.4.4
- WordPress sites with the "Save source URL" option enabled in Watu Quiz
- Patched in Watu Quiz version 3.4.5 (per plugin changeset)
Discovery Timeline
- 2025-10-25 - CVE-2025-11238 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-11238
Vulnerability Analysis
The Watu Quiz plugin captures the source URL of quiz submissions by reading the HTTP Referer request header. When the "Save source URL" option is enabled, the plugin stores the header value in the database without applying sufficient sanitization. The stored value is later rendered in administrative or public-facing pages without proper output escaping.
Because the Referer header is fully attacker-controlled, an unauthenticated user can submit a quiz request with a crafted header containing HTML or JavaScript payloads. The payload persists in the database and executes whenever the affected page loads in a victim's browser.
Exploitation requires no authentication and no user interaction beyond an administrator or visitor viewing the page that renders the stored value. Successful exploitation enables session hijacking, forced administrative actions, content modification, and redirection to attacker-controlled infrastructure.
Root Cause
The plugin trusts the Referer header as a benign metadata field. It fails to apply WordPress sanitization helpers such as esc_url_raw() on input and esc_url() or esc_html() on output. The "Save source URL" feature widens the attack surface by persisting the unsanitized header server-side.
Attack Vector
An attacker sends an HTTP request to the quiz submission endpoint with a malicious Referer header containing a JavaScript payload. The plugin writes the value into quiz result records. When an administrator reviews quiz results or a visitor loads a page rendering the source URL, the script executes in their browser context. See the WordPress plugin changeset and the Wordfence vulnerability report for the upstream fix and technical write-up.
Detection Methods for CVE-2025-11238
Indicators of Compromise
- HTTP requests to Watu Quiz submission endpoints containing <script>, javascript:, or HTML event handlers (e.g., onerror=, onload=) within the Referer header.
- Database entries in Watu Quiz tables where stored source URL fields contain HTML tags or JavaScript instead of valid URLs.
- Unexpected outbound requests from administrator browsers to unfamiliar domains shortly after viewing the quiz results dashboard.
Detection Strategies
- Inspect web server access logs for anomalous Referer headers submitted to /wp-admin/admin-ajax.php or Watu Quiz endpoints.
- Run database queries against Watu Quiz tables to identify rows where the stored URL field does not match a valid URL pattern.
- Deploy a Web Application Firewall (WAF) rule that blocks requests carrying script-like content in the Referer header.
Monitoring Recommendations
- Alert on creation of new WordPress administrator accounts or unauthorized changes to user roles following quiz submissions.
- Monitor WordPress plugin and theme file modifications for unexpected JavaScript injection consistent with XSS-driven follow-on attacks.
- Track outbound traffic from administrator workstations for connections to suspicious or newly registered domains.
How to Mitigate CVE-2025-11238
Immediate Actions Required
- Update the Watu Quiz plugin to version 3.4.5 or later on every WordPress site where it is installed.
- Audit existing quiz result records and remove or sanitize any stored source URL values containing HTML or script content.
- Force password resets and invalidate active sessions for WordPress administrators if exploitation is suspected.
Patch Information
The vendor addressed the issue in the upstream commit referenced in the WordPress Plugin Changeset 3373855, which adds proper sanitization and output escaping for the stored Referer value. Site owners should upgrade through the WordPress plugin manager. The Wordfence Vulnerability Report confirms that versions <= 3.4.4 are affected.
Workarounds
- Disable the "Save source URL" option in the Watu Quiz settings until the plugin can be updated.
- Deactivate and remove the Watu Quiz plugin if the feature is not required for site operations.
- Apply WAF rules that strip or block HTTP Referer headers containing <, >, or javascript: content directed at WordPress endpoints.
# Example WAF/ModSecurity rule to block script payloads in Referer headers
SecRule REQUEST_HEADERS:Referer "@rx (?i)(<script|javascript:|onerror=|onload=)" \
"id:1011238,phase:1,deny,status:403,log,\
msg:'CVE-2025-11238: Suspicious Referer header targeting Watu Quiz'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
