CVE-2025-1561
Published: 13 March 2025
Summary
CVE-2025-1561 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Apppresser Apppresser. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-1561 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the AppPresser – Mobile App Framework plugin for WordPress. It affects all versions up to and including 4.4.10 due to insufficient input sanitization and output escaping of the 'title' parameter. This flaw enables the injection of arbitrary web scripts into pages when logging is enabled in the plugin.
Unauthenticated attackers can exploit the vulnerability over the network with low attack complexity, no privileges, and no user interaction required, earning it a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By submitting malicious payloads via the 'title' parameter, attackers can store scripts in log pages that execute in the context of any user accessing those pages, potentially stealing session cookies, redirecting users, or performing other client-side attacks.
Advisories and plugin repositories indicate mitigation through updating to AppPresser version 4.4.11 or later, which includes fixes to the AppPresser_Log_Admin.php file as shown in the plugin's trac changeset 3254632. Further technical details and threat intelligence are provided by Wordfence at their vulnerability page and in the plugin's source code at template.php line 32.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6614
Vulnerability details
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. This makes it possible for…
more
unauthenticated attackers to inject arbitrary web scripts in pages when logging is enabled that will execute whenever a user accesses an injected page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 by allowing unauthenticated network exploitation of the web application to inject and execute arbitrary scripts in user contexts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates information input validation at entry points, directly addressing the insufficient sanitization of the 'title' parameter that allows stored XSS injection.
SI-15 requires output filtering prior to user display, mitigating the lack of output escaping that enables execution of injected scripts on log pages.
SI-2 ensures timely flaw remediation, such as patching the AppPresser plugin to version 4.4.11 which fixes the input sanitization and output escaping issues.