CVE-2025-25108
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-25108 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the shalomworld SW Plus (shalom-world-media-gallery) WordPress plugin. This issue affects SW Plus versions from n/a through 2.1 inclusive. The vulnerability was published on 2025-03-03.
The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by tricking authenticated or unauthenticated users into accessing crafted URLs, leading to execution of arbitrary JavaScript in the victim's browser context with changed scope, enabling limited impacts on confidentiality (e.g., session hijacking), integrity (e.g., page modification), and availability.
The Patchstack advisory provides details on this WordPress plugin vulnerability and mitigation guidance, available at https://patchstack.com/database/Wordpress/Plugin/shalom-world-media-gallery/vulnerability/wordpress-sw-plus-plugin-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables attackers to craft malicious URLs that execute arbitrary JavaScript in the victim's browser when visited, directly facilitating drive-by compromise via website visit (T1189), user execution through malicious links (T1204.001), and stealing web session cookies for session hijacking as explicitly noted in the CVE impacts (T1539).