CVE-2025-25087

CVE-2025-25087 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS, CWE-79), affecting the seekXL Snapr WordPress plugin (seekxl-snapr) developed by Tim. The issue impacts all versions from n/a through 2.0.6, as published on 2025-03-03. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope with low impacts across confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely without authentication by crafting malicious payloads delivered via network requests, such as links in phishing emails or social engineering lures that trick users into interacting (e.g., visiting a malicious URL). Successful exploitation enables arbitrary JavaScript execution in the victim's browser context, potentially leading to session hijacking, data theft, or further site compromise, with the changed scope allowing impacts beyond the targeted user due to the plugin's web page generation role.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/seekxl-snapr/vulnerability/wordpress-seekxl-snapr-plugin-2-0-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the seekXL Snapr plugin version 2.0.6 and recommends mitigation through updating to a patched version beyond 2.0.6, as earlier versions remain vulnerable.