CVE-2025-1487

HighPublic PoC

Published: 13 March 2025

Published

13 March 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0009 25.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1487 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Andreafarracani Wowpth. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Directly addresses the failure to escape output by requiring filtering of information before rendering in web pages, preventing reflected XSS execution.

SI-10 Information Input Validation good match

prevent

Mandates validation of unsanitized inputs to block malicious payloads targeting high-privilege users via crafted links.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation by patching the specific sanitization vulnerability in the WoWPth WordPress plugin.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Reflected XSS enables crafting and delivery of malicious links via spearphishing (T1566.002) that users execute by clicking (T1204.001), directly facilitating browser session hijacking and unauthorized actions in the victim's context (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The WoWPth WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Deeper analysisAI

CVE-2025-1487 is a reflected cross-site scripting (XSS) vulnerability in the WoWPth WordPress plugin through version 2.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling malicious script execution in a victim's browser. Published on 2025-03-13, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation).

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by crafting a malicious link or payload that requires user interaction (UI:R), such as clicking a link in a phishing email or visiting a booby-trapped site. The vulnerability targets high-privilege users like administrators, with changed scope (S:C) allowing limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as session hijacking or unauthorized actions in the victim's context.

Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/9c683c2e-4f7f-4862-b844-6bdc3d1885dd/.