CVE-2025-28921
Published: 26 March 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-28921 is an improper neutralization of input during web page generation vulnerability, enabling reflected cross-site scripting (XSS) as classified under CWE-79. It affects the SpatialMatch IDX WordPress plugin (spatialmatch-free-lifestyle-search) from homejunction, impacting versions from n/a through 3.0.9 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can exploit it by tricking users into interacting with malicious input, such as via a crafted link or payload reflected in the web page, achieving low impacts on confidentiality, integrity, and availability within a changed scope.
The Patchstack advisory provides further details on the vulnerability in the WordPress SpatialMatch IDX plugin version 3.0.9, including mitigation guidance, accessible at https://patchstack.com/database/Wordpress/Plugin/spatialmatch-free-lifestyle-search/vulnerability/wordpress-spatialmatch-idx-plugin-3-0-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability is directly exploited via crafted malicious links that require user interaction to reflect and execute arbitrary JavaScript in the victim's browser, mapping to malicious link delivery and spearphishing link techniques.