CVE-2025-25164
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-25164 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Meta Accelerator WordPress plugin developed by Yuichiro ABE. The issue affects Meta Accelerator versions from n/a through 1.0.4, allowing attackers to inject malicious scripts via unsanitized input reflected in web page generation.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low complexity, no required privileges, and user interaction such as clicking a malicious link. Remote unauthenticated attackers can craft inputs that reflect back into dynamically generated pages, executing arbitrary scripts in the context of the victim's browser and potentially accessing sensitive data like session cookies or performing actions on the user's behalf.
Mitigation details and further analysis are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/meta-accelerator/vulnerability/wordpress-meta-accelerator-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of Internet-facing web applications (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).