Cyber Posture

CVE-2025-25170

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0035 57.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2025-25170 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the DotsquaresLtd Migrate Posts (migrate-post) WordPress plugin. This issue affects all versions from n/a through 1.0 inclusive, as published on 2025-03-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed for exploitation. Remote attackers without authentication can deliver malicious payloads via reflected input, potentially executing scripts in the context of affected users' browsers with changed scope, leading to low impacts on confidentiality, integrity, and availability.

Patchstack provides details on this post-based XSS vulnerability in the Migrate Posts plugin version 1.0 via its database advisory at https://patchstack.com/database/Wordpress/Plugin/migrate-post/vulnerability/wordpress-migrate-posts-plugin-1-0-post-based-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-79

MITRE ATT&CK Enterprise Techniques

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Reflected XSS enables delivery of malicious links that trigger arbitrary JavaScript execution in the victim's browser upon user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References