CVE-2025-25118
Published: 03 March 2025
Summary
CVE-2025-25118 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-25118 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS, CWE-79), in the WordPress plugin Top Bar – PopUps – by WPOptin (wpoptin) developed by Danish Ali Malik. The issue affects the plugin from unknown initial versions through 2.0.8 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
A remote, unauthenticated attacker can exploit this vulnerability with low attack complexity by crafting a malicious input that is reflected in a web page response, requiring user interaction such as clicking a specially crafted link. Successful exploitation executes arbitrary scripts in the victim's browser context, potentially leading to low impacts on confidentiality, integrity, and availability, with scope changed to enable cross-origin effects.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpoptin/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-7?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5639
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Danish Ali Malik Top Bar – PopUps – by WPOptin wpoptin allows Reflected XSS.This issue affects Top Bar – PopUps – by WPOptin: from n/a through <= 2.0.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation via crafted malicious links (T1204.001) to execute arbitrary JavaScript in browser (T1059.007) after exploiting the web app vuln (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering information outputs to neutralize malicious scripts reflected in web page generation, directly preventing reflected XSS exploitation.
SI-10 mandates validation of inputs to block malicious payloads from being accepted and reflected unsafely in web responses.
SI-2 ensures timely identification, reporting, and correction of flaws like this XSS vulnerability in the WordPress plugin.