CVE-2025-25083
Published: 03 March 2025
Summary
CVE-2025-25083 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Portal Capture (T1056.003); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-25083 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the EP4 More Embeds WordPress plugin by Dave Lavoie. The issue affects the plugin from its initial release through version 1.0.0. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this over the network with low complexity and no required privileges, though it demands user interaction. Successful exploitation changes the security scope, enabling low-impact violations of confidentiality, integrity, and availability. A remote attacker could inject and store malicious scripts through the plugin, which then execute in the browser context of authenticated users viewing affected pages.
The Patchstack advisory provides details on this Stored XSS vulnerability in the EP4 More Embeds plugin version 1.0.0; practitioners should consult https://patchstack.com/database/Wordpress/Plugin/ep4-more-embeds/vulnerability/wordpress-ep4-more-embeds-plugin-1-0-0-stored-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation guidance and patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5672
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dave Lavoie EP4 More Embeds ep4-more-embeds allows Stored XSS.This issue affects EP4 More Embeds: from n/a through <= 1.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS allows unauthenticated injection of scripts that execute in authenticated users' browsers on the affected site, directly enabling web portal input capture and browser session hijacking via cookie/token theft or malicious actions in user context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information Output Filtering directly prevents stored XSS by filtering malicious scripts prior to rendering in web browsers.
Information Input Validation neutralizes improper input neutralization, preventing storage of malicious scripts in the WordPress plugin.
Flaw Remediation ensures timely patching or removal of the vulnerable EP4 More Embeds plugin to eliminate the stored XSS vulnerability.