CVE-2025-25083
Published: 03 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-25083 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the EP4 More Embeds WordPress plugin by Dave Lavoie. The issue affects the plugin from its initial release through version 1.0.0. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this over the network with low complexity and no required privileges, though it demands user interaction. Successful exploitation changes the security scope, enabling low-impact violations of confidentiality, integrity, and availability. A remote attacker could inject and store malicious scripts through the plugin, which then execute in the browser context of authenticated users viewing affected pages.
The Patchstack advisory provides details on this Stored XSS vulnerability in the EP4 More Embeds plugin version 1.0.0; practitioners should consult https://patchstack.com/database/Wordpress/Plugin/ep4-more-embeds/vulnerability/wordpress-ep4-more-embeds-plugin-1-0-0-stored-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation guidance and patch information.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS allows unauthenticated injection of scripts that execute in authenticated users' browsers on the affected site, directly enabling web portal input capture and browser session hijacking via cookie/token theft or malicious actions in user context.