All-in-One Messenger - Reflected cross-site scripting (XSS)
Summary
| Name | All-in-One Messenger 1. - Reflected cross-site scripting (XSS) |
| Code name | skims-0038 |
| Product | All-in-One Messenger |
| Affected versions | Version 1. |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31310 |
Description
All-in-One Messenger 1. was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/part/callback_facebook.php.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in All-in-One Messenger 1.. The following is the output of the tool:
Skims output
1 | <?php
2 |
3 | if(isset($_GET['chat_bot']) && $_GET['chat_bot'] == 'facebook'){
4 |
5 | $apiKey = get_option('facebook_token');
6 | $hubVerifyToken = get_option('facebook_callback_token');
7 |
8 | if (isset($_REQUEST['hub_verify_token']) && $_REQUEST['hub_verify_token'] === $hubVerifyToken) {
> 9 | echo $_REQUEST['hub_challenge'];
10 | exit;
11 | }
12 |
13 | $facebook = new bm_Messenger($apiKey);
14 |
15 | //$facebook->respondSuccess();
16 |
17 | $text = $facebook->Text() ? $facebook->Text() : '';
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31310 to refer to this issue from now on.
System Information
- Product: All-in-One Messenger
- Version: 1.
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
