Best Rating and Pageviews - Reflected cross-site scripting (XSS)
Summary
| Name | Best Rating and Pageviews 3.0.3 - Reflected cross-site scripting (XSS) |
| Code name | skims-0008 |
| Product | Best Rating and Pageviews |
| Affected versions | Version 3.0.3 |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31293 |
Description
Best Rating and Pageviews 3.0.3 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/classes/system/class-brpv-statisti cs-page.php.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Best Rating and Pageviews 3.0.3. The following is the output of the tool:
Skims output
31 | public function get_html_feeds_list() {
32 | $brpvListTable = new BRPV_Statistics_WP_List_Table(); ?>
33 | <form method=""get"">
> 34 | <input type=""hidden"" name=""page"" value=""<?php echo $_REQUEST['page'] ?>""/>
35 | <input type=""hidden"" name=""brpv_form_id"" value=""brpv_wp_list_table"" />
36 | <?php $brpvListTable->prepare_items(); $brpvListTable->display(); ?>
37 | </form><?php // end get_html_feeds_list();
38 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31293 to refer to this issue from now on.
System Information
- Product: Best Rating and Pageviews
- Version: 3.0.3
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
