CVE-2025-25159
Published: 07 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-25159 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the WP Doodlez WordPress plugin by robert_kolatzek. The issue affects all versions of the plugin from n/a through 1.0.10, allowing malicious input to be stored and executed when pages are generated.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited over the network by unauthenticated attackers (PR:N) using low-complexity techniques that require user interaction (UI:R). Exploitation enables attackers to inject and persist malicious scripts, which execute in the browser context of other users viewing affected content, resulting in low impacts to confidentiality, integrity, and availability with a changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpdoodlez/vulnerability/wordpress-wp-doodlez-plugin-1-0-10-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting the web app for initial access) and T1059.007 (injection/execution of attacker-controlled JavaScript in victim browsers).