CVE-2025-25114

CVE-2025-25114 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the ehabstar User Role user-roles WordPress plugin. This issue affects User Role versions from n/a through <= 1.0. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope with low impacts to confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability by crafting malicious input that is reflected in web page generation without proper neutralization. Exploitation requires a user, such as an administrator or logged-in user, to interact with a malicious link or input, typically via a phishing vector, leading to script execution in the victim's browser context. This can result in limited theft of sensitive data, session hijacking, or minor disruptions, amplified by the changed scope affecting other resources.

The Patchstack advisory provides details on this vulnerability, including potential patches or workarounds for affected WordPress installations; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/user-roles/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-6?_s_id=cve for mitigation guidance and updates.