CVE-2025-25165
Published: 03 March 2025
Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Security Summary
CVE-2025-25165 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Staff Directory Plugin: Company Directory (staff-directory-pro) for WordPress, developed by richardgabriel. This issue affects all versions from n/a through 4.3 and was published on 2025-03-03.
The vulnerability enables exploitation over the network (AV:N) with low attack complexity (AC:L) by unauthenticated attackers (PR:N), though it requires user interaction (UI:R) such as viewing affected pages. Malicious input can be stored and rendered without neutralization, executing arbitrary JavaScript in victims' browsers. This changes scope (S:C) and allows low-impact confidentiality, integrity, and availability effects (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/staff-directory-pro/vulnerability/wordpress-staff-directory-plugin-company-directory-plugin-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin allows unauthenticated network injection of arbitrary JavaScript executed in victims' browsers on page view, directly enabling T1190 (exploiting public-facing app), T1059.007 (JavaScript execution), and T1189 (drive-by compromise via compromised site).