CVE-2025-25119
Published: 03 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-25119 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the WooCommerce osCommerce Sync plugin (woo-oscommerce-sync) developed by Alejandro Aranda, impacting all versions from n/a through 2.0.20. Published on 2025-03-03T14:15:51.750, the vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Remote attackers without privileges can exploit this over the network with low attack complexity, though it requires user interaction, such as visiting a maliciously crafted link or page. Successful exploitation reflects attacker-controlled input in the web page, executing arbitrary JavaScript in the victim's browser context. This achieves low impacts on confidentiality, integrity, and availability, elevated by the changed scope to the site's security context.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-oscommerce-sync/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-4?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in browser (T1059.007) via malicious link (T1204.001) or drive-by compromise (T1189).