Bg forReaders - Reflected cross-site scripting (XSS)
Summary
| Name | Bg forReaders trunk - Reflected cross-site scripting (XSS) |
| Code name | skims-0057 |
| Product | Bg forReaders |
| Affected versions | Version trunk |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31318 |
Description
Bg forReaders trunk was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/includes/rss-opds.php.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Bg forReaders trunk. The following is the output of the tool:
Skims output
14 | function bg_forreaders_opdsRSSFunc(){
15 |
16 | $include = array();
17 | $exclude = array();
18 | $ex_cats = explode ( ',', get_option('bg_forreaders_excat') ); // если запрещены некоторые категории
19 | $i = 0;
20 | foreach($ex_cats as $cat) {
21 | $idObj = get_category_by_slug(trim($cat));
22 | if ($idObj) {
23 | $exclude[$i] = $idObj->term_id;
24 | $i++;
25 | }
26 | }
27 | if (get_option('bg_forreaders_cats') != 'excluded') {
28 | $include = $exclude;
29 | $exclude = array();
30 | }
31 | // Заголовки
32 | header('Content-Type: '.feed_content_type('rss-http').'; charset='.get_option('blog_charset'), true);
33 | echo '<?xml version=""1.0"" encoding=""'.get_option('blog_charset').'"" ?'.'>'.PHP_EOL;
34 | ?>
35 | <feed xml:lang=""ru-RU"" xmlns=""http://www.w3.org/2005/Atom"" xmlns:dc=""http://purl.org/dc/elements/1.1/"">
36 | <link rel=""search"" title=""<?php _e('Search', 'bg-forreaders') ?>"" type=""application/atom+xml"" href=""<?php echo OPDS_FEED
37 | <updated><?php echo date('c'); ?></updated>
38 | <author>
39 | <name><?php bloginfo('name'); ?></name>
40 | <uri><?php echo get_site_url(); ?></uri>
41 | </author>
42 | <?php
43 | if (empty ($_GET)) { // Стартовая страница: рубрики верхнего уровня
44 | ?>
45 | <title><?php _e('OPDS catalogue', 'bg-forreaders') ?> ""<?php bloginfo('name'); ?>""</title>
46 | <?php
47 | bg_forreaders_the_folders(0, $include, $exclude);
48 |
49 | } elseif (isset($_GET['cat'])) { // Подрубрики
50 | ?>
51 | <title><?php bloginfo('name'); ?> - <?php echo get_cat_name( $_GET['cat'] ) ?></title>
52 | <?php
53 | bg_forreaders_the_folders($_GET['cat'], $include, $exclude);
54 |
55 | } elseif (isset($_GET['offset'])) { // По 10 последних файлов со смещением offset
56 | $next = $_GET['offset'];
57 | ?>
58 | <title><?php bloginfo('name'); ?> - <?php _e('New', 'bg-forreaders') ?> (<?php echo ($next+1)."" - "".($next+10); ?>)</tit
59 | <?php
60 | $posts = query_posts( array(
61 | 'post_type' => 'post',
62 | 'post_status' => 'publish',
63 | 'has_password'=> false,
64 | 'post_password' => """",
65 | 'offset' => $_GET['offset'],
66 | 'ignore_sticky_posts' => true,
67 | 'category__in' => $include,
68 | 'category__not_in' => $exclude,
69 | 'meta_key'=> 'for_readers',
70 | 'orderby' => 'post_date',
71 | 'order' => 'DESC',
72 | 'posts_per_page' => 10
73 | ));
74 | bg_forreaders_the_books();
75 | $next = $_GET['offset']+10;
76 | ?>
77 | <entry>
78 | <title><?php _e('Next', 'bg-forreaders') ?> (<?php echo ($next+1)."" - "".($next+10); ?>) >></title>
79 | <id>urn:<?php echo OPDS_NAME; ?>:next</id>
80 | <link href=""<?php echo OPDS_FEED.""?offset="". $next; ?>"" type=""application/atom+xml""/>
81 | </entry>
82 | <?php
83 | } elseif (isset($_GET['q'])) { // Поисковый запрос
84 | ?>
> 85 | <title><?php bloginfo('name'); ?> - ""<?php echo $_GET['q']; ?>""</title>
86 | <?php
87 | global $wpdb;
88 | $postids = $wpdb->get_col(""SELECT ID FROM wp_posts WHERE post_title LIKE '"".$_GET['q'].""' "");
89 | if (!empty($postids)) {
90 | $posts = query_posts( array(
91 | 'post__in' => $postids,
92 | 'has_password'=> false,
93 | 'post_password' => """",
94 | 'ignore_sticky_posts' => true,
95 | 'category__in' => $include,
96 | 'category__not_in' => $exclude,
97 | 'posts_per_page' => -1
98 | ));
99 | bg_forreaders_the_books();
100 | }
101 | }
102 | ?>
103 | </feed>
104 | <?php
105 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31318 to refer to this issue from now on.
System Information
- Product: Bg forReaders
- Version: trunk
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
