CVE-2025-22575
Published: 28 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-22575 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the SUPER RESPONSIVE SLIDER (super-slider) plugin for WordPress, developed by extendyourweb, across all versions up to and including 1.4.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with crafted requests, resulting in the reflection of malicious scripts in the browser. This can lead to low-level impacts on confidentiality, integrity, and availability, with a changed scope due to the cross-origin context.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/super-slider/vulnerability/wordpress-super-responsive-slider-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS requires tricking users into interacting with crafted malicious links/requests to reflect and execute scripts in the browser, directly enabling/facilitating T1192 Spearphishing Link and T1204.001 Malicious Link.