CVE-2025-27279
Published: 03 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-27279 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the lynk Flashfader (flashfader) WordPress plugin. This issue affects Flashfader versions from n/a through 1.1.1 inclusive. The vulnerability was published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no privileges required, but user interaction is necessary, and scope is changed. Remote attackers can exploit it by delivering malicious input that reflects in web page generation, potentially compromising user sessions or executing scripts in the victim's browser context with low impacts to confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/flashfader/vulnerability/wordpress-flashfader-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS directly enables arbitrary JavaScript execution in the victim's browser (T1059.007) and facilitates browser session hijacking via cookie/credential theft (T1185).