CVE-2015-9357

MEDIUM

Akismet < 3.1.5 - Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-9357. PoCs published by saretawa.

AI-analyzed exploit summary This PoC exploits a stored XSS vulnerability in WordPress's smiley/emoticon parser (CVE-2015-9357) to break out of attribute context and execute JavaScript in an admin's session. The exploit chains this to forge a nonce and create a new administrator account via the WordPress user creation endpoint.

Description

The akismet plugin before 3.1.5 for WordPress has XSS.

Exploits (1)

nomisec WORKING POC
by saretawa · poc
https://github.com/saretawa/CVE-2015-9357-POC

This PoC exploits a stored XSS vulnerability in WordPress's smiley/emoticon parser (CVE-2015-9357) to break out of attribute context and execute JavaScript in an admin's session. The exploit chains this to forge a nonce and create a new administrator account via the WordPress user creation endpoint.

Classification
Working Poc 98%
Attack Type
Xss
Complexity
Moderate
Reliability
Racy
Target: WordPress (with affected smiley/emoticon parser, likely via plugins/themes like Akismet)
No auth needed
Prerequisites: Target must have a field that applies WordPress smiley conversion (e.g., comments, contact forms) · Admin must view the malicious input for XSS to trigger · Outbound HTTP requests from the admin's browser must be allowed to the attacker's listener
mistral-large-3 · analyzed Jul 05, 2026 Full analysis →

References (1)

Core 1
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/akismet/#developers

Scores

CVSS v3 6.1
EPSS 0.0096
EPSS Percentile 57.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
automattic/akismet < 3.1.5
Published Aug 28, 2019
Tracked Since Feb 18, 2026