Bulk Watermark - Reflected cross-site scripting (XSS)

Summary

Name	Bulk Watermark 1.6.10 - Reflected cross-site scripting (XSS)
Code name	skims-0009
Product	Bulk Watermark
Affected versions	Version 1.6.10
State	Private
Release date	2025-03-14

Vulnerability

Kind	Reflected cross-site scripting (XSS)
Rule	Reflected cross-site scripting (XSS)
Remote	No
CVSSv4 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U
CVSSv4 Base Score	4.8 (Medium)
Exploit available	No
CVE ID(s)	CVE-2025-31294

Description

Bulk Watermark 1.6.10 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/bulk-watermark-plugin-installer.ph p.

Vulnerability

Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Bulk Watermark 1.6.10. The following is the output of the tool:

Skims output

 423 | function update_mwa_plugin_installer_menu_disable_option(){
 424 | ob_clean();
 425 | check_ajax_referer( 'mywebsiteadvisor-plugin-installer-menu-disable', 'security' );
 426 |
 427 | update_option('mywebsiteadvisor_pluigin_installer_menu_disable', $_POST['checked']);
 428 |
> 429 |   echo  $_POST['checked'];
  430 |   die();
  431 |  }
      ^ Col 0

Our security policy

We have reserved the ID CVE-2025-31294 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Product: Bulk Watermark
• Version: 1.6.10

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims

Timeline