AIO Cache and Performance - Reflected cross-site scripting (XSS)
Summary
| Name | AIO Cache and Performance trunk - Reflected cross-site scripting (XSS) |
| Code name | skims-0004 |
| Product | AIO Cache and Performance |
| Affected versions | Version trunk |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31289 |
Description
AIO Cache and Performance trunk was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/resources/cachehead/aio-cachehead. php.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in AIO Cache and Performance trunk. The following is the output of the tool:
Skims output
23 | function phpch_setting_page() {
24 | global $opt_value;
25 |
26 | if (!current_user_can('manage_options'))
27 | wp_die( __('You do not have sufficient permissions to access this page.') );
28 |
29 | $opt_value = get_option( 'phpch_setting', 1800 );
30 |
31 | if ( is_numeric($_POST['phpch_value']) ) {
32 | $opt_value = $_POST['phpch_value'];
33 | update_option( 'phpch_setting', $opt_value );
34 | ?>
35 | <div class=""updated""><p><strong><?php _e('Settings saved.', 'phpch-menu' ); ?></strong></p></div>
36 | <?php
37 | } elseif ( isset($_POST['phpch_submit_hidden']) && $_POST['phpch_submit_hidden'] = 'Y' ) {
38 | ?>
39 | <div class=""updated""><p><strong><?php _e('Numeric values only!', 'phpch-menu' ); ?></strong></p></div>
40 | <?php
41 | }
42 |
43 | echo '<div class=""wrap"">';
44 | echo '<div id=""icon-options-general"" class=""icon32""></div><h2>AIO Cache: PHP Expires Headers</h2>';
45 | ?>
46 | <h1><a href=""https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=ECVJZ2MJMJTB6¤cy_code=USD"">To don
47 | <form name=""form1"" method=""post"" action="""">
48 | <input type=""hidden"" name=""phpch_submit_hidden"" value=""Y"" />
49 | <h2>
50 | <label for=""input1"">Cache For </label>
> 51 | <input type=""input"" name=""phpch_value"" id=""input1"" value=""<?php echo $opt_value; ?>"" size=""20"" /> Seconds <br />
52 | </h2>
53 | <p>
54 | Cache For 0 Seconds = No Cache
55 | <br />
56 | </p>
57 | <h3 class=""submit"">
58 | <input type=""submit"" name=""Submit"" class=""button-primary"" value=""<?php esc_attr_e('Save Changes') ?>"" />
59 | </h3>
60 |
61 | </form>
62 | </div>
63 |
64 | <?php
65 |
66 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31289 to refer to this issue from now on.
System Information
- Product: AIO Cache and Performance
- Version: trunk
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
