CVE-2025-25113
Published: 03 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-25113 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Senktec Implied Cookie Consent WordPress plugin (implied-cookie-consent). This issue affects all versions from n/a through 1.3 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
A network-based attacker requires no privileges and can exploit the vulnerability with low attack complexity by inducing a user to interact with malicious input, such as a crafted link or payload reflected in web page generation. Exploitation enables arbitrary script execution in the victim's browser context due to the changed scope, resulting in low impacts to confidentiality, integrity, and availability.
The Patchstack advisory provides further details on this vulnerability, including potential mitigation steps, at https://patchstack.com/database/Wordpress/Plugin/implied-cookie-consent/vulnerability/wordpress-external-video-for-everybody-plugin-2-1-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the browser (T1059.007) triggered by user interaction with a crafted malicious link (T1204.001), directly facilitating browser session hijacking (T1185).