CVE-2025-25124
Published: 03 March 2025
Description
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.
Security Summary
CVE-2025-25124 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, in the devu Status Updater fb-status-updater WordPress plugin. This issue affects all versions of the plugin from n/a through 1.9.2.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation over the network with low attack complexity, no privileges required, but user interaction needed. An unauthenticated attacker can craft a malicious request that reflects input without neutralization, tricking a victim user—such as a site administrator or logged-in user—into accessing it via a phishing link or similar vector. This executes arbitrary JavaScript in the victim's browser within the site's context, enabling limited impacts like session hijacking, data theft, or site defacement.
Patchstack provides details on this vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/fb-status-updater/vulnerability/wordpress-wp-spell-check-plugin-9-21-cross-site-request-forgery-csrf-vulnerability-3?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JS execution in victim's browser via phishing link (T1566.002), directly facilitating browser session hijacking (T1185) and external site defacement (T1491.002).