CVE-2025-25132
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-25132 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin Visitor Details developed by Ravi Singh. The issue impacts versions from an unspecified initial release through 1.0.1. Published on 2025-03-03T14:15:52.917, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability enables attackers to inject and store malicious scripts via input fields processed by the plugin, which then execute in the context of users viewing affected visitor details pages. Exploitation requires no privileges (PR:N) and is network-accessible with low complexity (AV:N/AC:L), though it depends on user interaction (UI:R). Successful attacks achieve low impacts on confidentiality, integrity, and availability, with a changed scope (S:C).
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/visitors-details/vulnerability/wordpress-visitor-details-plugin-1-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS allows injection of malicious JavaScript via unsanitized input fields that executes in the browser of users viewing the visitor details page, directly enabling drive-by compromise through the compromised web page and use of JavaScript for malicious scripting.