CVE-2025-25092
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-25092 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the All push notification for WP plugin by gtlwpdev. This issue affects all versions of the plugin from n/a through 1.5.3.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no privileges required, but user interaction is needed. Attackers can target any authenticated or unauthenticated user visiting a maliciously crafted link or page on an affected WordPress site, leading to script execution in the victim's browser context with changed scope, resulting in low impacts to confidentiality, integrity, and availability.
Patchstack provides details on the vulnerability and mitigation in its database advisory at https://patchstack.com/database/Wordpress/Plugin/all-push-notification/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web app (T1190) and arbitrary JavaScript execution in victim browser (T1059.007).