Cyber Resilience

CVE-2025-25083

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0035 57.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25083 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Portal Capture (T1056.003); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-25083 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the EP4 More Embeds WordPress plugin by Dave Lavoie. The issue affects the plugin from its initial release through version 1.0.0. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this over the network with low complexity and no required privileges, though it demands user interaction. Successful exploitation changes the security scope, enabling low-impact violations of confidentiality, integrity, and availability. A remote attacker could inject and store malicious scripts through the plugin, which then execute in the browser context of authenticated users viewing affected pages.

The Patchstack advisory provides details on this Stored XSS vulnerability in the EP4 More Embeds plugin version 1.0.0; practitioners should consult https://patchstack.com/database/Wordpress/Plugin/ep4-more-embeds/vulnerability/wordpress-ep4-more-embeds-plugin-1-0-0-stored-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation guidance and patch information.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dave Lavoie EP4 More Embeds ep4-more-embeds allows Stored XSS.This issue affects EP4 More Embeds: from n/a through <= 1.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1056.003 Web Portal Capture Collection
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS allows unauthenticated injection of scripts that execute in authenticated users' browsers on the affected site, directly enabling web portal input capture and browser session hijacking via cookie/token theft or malicious actions in user context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23522Shared CWE-79
CVE-2025-0599Shared CWE-79
CVE-2025-23657Shared CWE-79
CVE-2025-24615Shared CWE-79
CVE-2026-42733Shared CWE-79
CVE-2026-28122Shared CWE-79
CVE-2026-24750Shared CWE-79
CVE-2025-7799Shared CWE-79
CVE-2026-1454Shared CWE-79
CVE-2026-4107Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information Output Filtering directly prevents stored XSS by filtering malicious scripts prior to rendering in web browsers.

prevent

Information Input Validation neutralizes improper input neutralization, preventing storage of malicious scripts in the WordPress plugin.

prevent

Flaw Remediation ensures timely patching or removal of the vulnerable EP4 More Embeds plugin to eliminate the stored XSS vulnerability.

References