/
Security Advisory: CVE-2025-57681 - Stored XSS in WorklogPRO DC

Security Advisory: CVE-2025-57681 - Stored XSS in WorklogPRO DC

This advisory documents a Stored Cross-Site Scripting (XSS) vulnerability discovered in the WorklogPRO - Jira Timesheets app.

 

1. Vulnerability Overview

  • CVE ID: CVE-2025-57681

  • Product: WorklogPRO - Jira Timesheets

  • Vendor: The Starware

  • Vulnerability Type: Cross-Site Scripting (XSS) - Stored

 

2. Affected and Fixed Versions

  • Affected Versions: All versions before 4.23.7

  • Fixed Version: 4.23.7

 

3. Technical Description

The WorklogPRO - Jira Timesheets plugin in Jira Data Center before version 4.23.7 allows users and attackers to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (XSS) vulnerability.

The vulnerability is exploited via a specially crafted payload placed in an issue's summary field. This code is executed in a user's browser when they attempt to add a worklog to that issue on the calendar page, as the summary field is not properly sanitized during the action.

4. Proof of Concept

The following steps demonstrate how to reproduce the vulnerability:

  1. Injection: Create a new Jira issue or edit an existing one. In the Summary field, inject the following XSS payload: <script>alert("CreateIssueSummary")</script>

  2. Navigation: Navigate to WorklogPROWorklog Calendar.

  3. Trigger: Click on the "Log Work" button to open the dialog.

  4. Execution: In the "Issue" dropdown, search for and select the issue created in Step 1.

  5. Observation: The injected JavaScript executes immediately, displaying an alert box.

image-20251212-070433.png
Figure 1: PoC demonstrating XSS execution in Log Work dialog on the Calendar Page

 

5. Mitigation / Solution

Users are advised to upgrade to version 4.23.7 or later, which addresses this issue. The vendor has released a fix under issue ID WLP-1581.

 

5. References

 

6. Credit

Discovered by “Ionut Luca from CybrOps”.