CVE-2025-25092
Published: 03 March 2025
Summary
CVE-2025-25092 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25092 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the All push notification for WP plugin by gtlwpdev. This issue affects all versions of the plugin from n/a through 1.5.3.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no privileges required, but user interaction is needed. Attackers can target any authenticated or unauthenticated user visiting a maliciously crafted link or page on an affected WordPress site, leading to script execution in the victim's browser context with changed scope, resulting in low impacts to confidentiality, integrity, and availability.
Patchstack provides details on the vulnerability and mitigation in its database advisory at https://patchstack.com/database/Wordpress/Plugin/all-push-notification/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5662
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gtlwpdev All push notification for WP all-push-notification allows Reflected XSS.This issue affects All push notification for WP: from n/a through <= 1.5.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web app (T1190) and arbitrary JavaScript execution in victim browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, testing, and correction of the specific XSS flaw in the WordPress plugin.
Prevents reflected XSS attacks by filtering information outputs during web page generation to neutralize malicious input scripts.
Addresses the improper neutralization by validating user inputs before they are processed and reflected in web pages.