CVE-2025-25169
Published: 03 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-25169 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Authors Autocomplete Meta Box WordPress plugin by Rachel Cherry. The flaw affects all versions of the plugin from n/a through 1.2 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges required, though it demands user interaction such as visiting a malicious link or page. Upon successful exploitation, reflected XSS enables arbitrary script execution in the context of the victim's browser on the affected site, resulting in low impacts to confidentiality, integrity, and availability, with a changed scope.
The Patchstack advisory documents this Reflected XSS vulnerability specifically in Authors Autocomplete Meta Box plugin version 1.2 for WordPress.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables T1190 (explicitly includes XSS for initial access); arbitrary browser script execution directly facilitates T1539 (steal web session cookies) and T1185 (browser session hijacking).