CVE-2025-2325
Published: 15 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-2325 is a stored cross-site scripting (XSS) vulnerability in the WP Test Email plugin for WordPress, affecting all versions up to and including 1.1.8. The issue stems from insufficient input sanitization and output escaping in the Email Logs feature, enabling the injection of arbitrary web scripts into pages.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, no privileges, and no user interaction required. By injecting malicious scripts via email logs, attackers can cause the scripts to execute whenever any user accesses the affected pages, achieving low impacts on confidentiality and integrity with a changed scope, as reflected in the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Advisories and patches are referenced in the WordPress plugin trac changeset for the WP Test Email repository and Wordfence threat intelligence page, providing details on remediation for this CWE-79 vulnerability, which was published on 2025-03-15.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in user browsers when viewing affected pages.