CVE-2025-28855
Published: 26 March 2025
Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Security Summary
CVE-2025-28855 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Teleport WordPress plugin developed by srcoley, with vulnerable versions spanning from n/a through 1.2.4.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it to inject and execute arbitrary scripts in a user's browser context, potentially leading to limited impacts on confidentiality, integrity, and availability within a changed scope.
Patchstack's advisory documents this Reflected XSS issue specifically in Teleport plugin version 1.2.4, providing details on the vulnerability for WordPress environments.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in a public-facing WordPress plugin allows an attacker to craft a malicious link that, when visited by a user, injects and executes arbitrary scripts in the browser context. This directly matches Drive-by Compromise (T1189), where victims are tricked into visiting a site that delivers malicious client-side code.