CVE-2025-1401
Published: 13 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-1401 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the WP Click Info WordPress plugin in versions through 2.7.4. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject and execute arbitrary scripts in users' browsers.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Attackers can exploit it by tricking high-privilege users, such as administrators, into interacting with crafted payloads, potentially leading to theft of session cookies, account takeover, or other browser-based attacks within the changed security scope.
Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/072620a2-76db-49d2-aae5-1170c409f7e7/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in browser (T1059.007) and facilitates session cookie theft for hijacking (T1185).