CVE-2025-25099
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-25099 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Cross-Site Scripting (XSS) under CWE-79, affecting the WordPress plugin Appointment Buddy Widget (appointment-buddy-online-appointment-booking-by-accrete) from accreteinfosolution. The issue impacts all versions from n/a through 1.2 inclusive.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited by remote attackers requiring no privileges over the network with low attack complexity, though it demands user interaction. Exploitation enables arbitrary script execution in the victim's browser context, achieving low impacts on confidentiality, integrity, and availability while changing scope to affect other users or resources.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/appointment-buddy-online-appointment-booking-by-accrete/vulnerability/wordpress-embed-rss-plugin-3-1-arbitrary-shortcode-execution-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
XSS in public-facing WordPress plugin enables drive-by compromise via injected malicious scripts (T1189) and stealing web session cookies through arbitrary browser script execution (T1539).