CVE-2025-25089
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-25089 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the WordPress plugin appten Image Rotator (appten-image-rotator) in all versions from n/a through 2.0 inclusive. Published on 2025-03-03, the issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Successful exploitation changes the scope and results in low impacts to confidentiality, integrity, and availability, typically allowing arbitrary JavaScript execution in the context of the affected site for the interacting user.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/appten-image-rotator/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in browser (T1059.007) via crafted links.