CVE-2025-1232
Published: 19 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-1232 is a stored cross-site scripting (XSS) vulnerability affecting the Site Reviews WordPress plugin in versions before 7.2.5. The plugin does not properly sanitize and escape certain Review fields, enabling the injection and persistent execution of malicious scripts. Published on 2025-03-19, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation).
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by submitting malicious payloads to the unsanitized Review fields. Exploitation requires user interaction, such as site visitors viewing the stored review containing the script. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to steal session cookies, impersonate users, or execute arbitrary code in victims' browsers.
The vulnerability description indicates mitigation by updating to Site Reviews version 7.2.5 or later. Further details on patches and workarounds are provided in the WPScan advisory at https://wpscan.com/vulnerability/c4ea8357-ddd7-48ac-80c9-15b924715b14/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing app via unsanitized review submission) and T1059.007 (persistent malicious JavaScript execution in browser for cookie theft/impersonation).