CVE-2025-1487
Published: 13 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-1487 is a reflected cross-site scripting (XSS) vulnerability in the WoWPth WordPress plugin through version 2.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling malicious script execution in a victim's browser. Published on 2025-03-13, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation).
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by crafting a malicious link or payload that requires user interaction (UI:R), such as clicking a link in a phishing email or visiting a booby-trapped site. The vulnerability targets high-privilege users like administrators, with changed scope (S:C) allowing limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as session hijacking or unauthorized actions in the victim's context.
Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/9c683c2e-4f7f-4862-b844-6bdc3d1885dd/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables crafting and delivery of malicious links via spearphishing (T1566.002) that users execute by clicking (T1204.001), directly facilitating browser session hijacking and unauthorized actions in the victim's context (T1185).