CVE-2025-25133

CVE-2025-25133 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS), in the WP Frontend Submit plugin (wp-frontend-submit) developed by newbiesup for WordPress. This issue affects all versions of the plugin from n/a through 1.1.0. The vulnerability carries a CVSS v3.1 base score of 7.1, with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts on confidentiality, integrity, and availability.

Attackers can exploit this Reflected XSS flaw by crafting malicious inputs that are reflected back in web page generation without proper neutralization, tricking authenticated or unauthenticated users into interacting with a malicious link or payload via a phishing vector. No privileges are required (PR:N), but user interaction (UI:R) is necessary, such as clicking a link. Successful exploitation allows execution of arbitrary scripts in the victim's browser context, potentially leading to low-level impacts like session hijacking, data theft, or page manipulation, with scope change (S:C) enabling actions beyond the vulnerable component.

Patchstack provides details on this vulnerability, including mitigation guidance, via their advisory at https://patchstack.com/database/Wordpress/Plugin/wp-frontend-submit/vulnerability/wordpress-indeed-api-plugin-0-5-csrf-to-settings-change-vulnerability-2?_s_id=cve. Security practitioners should update to a patched version if available or apply workarounds as recommended in the advisory.