CVE-2025-25133
Published: 03 March 2025
Summary
CVE-2025-25133 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces filtering of reflected inputs prior to web page generation, directly neutralizing malicious scripts to prevent XSS execution in the WP Frontend Submit plugin.
Validates user inputs to block malicious payloads before they are processed and reflected by the vulnerable plugin.
Requires timely patching of the WP Frontend Submit plugin to remediate the improper input neutralization flaw across affected versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS allows crafting malicious links for phishing delivery (T1566.002) and arbitrary browser script execution enabling web session cookie theft for hijacking (T1539).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in newbiesup WP Frontend Submit wp-frontend-submit allows Reflected XSS.This issue affects WP Frontend Submit: from n/a through <= 1.1.0.
Deeper analysisAI
CVE-2025-25133 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS), in the WP Frontend Submit plugin (wp-frontend-submit) developed by newbiesup for WordPress. This issue affects all versions of the plugin from n/a through 1.1.0. The vulnerability carries a CVSS v3.1 base score of 7.1, with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts on confidentiality, integrity, and availability.
Attackers can exploit this Reflected XSS flaw by crafting malicious inputs that are reflected back in web page generation without proper neutralization, tricking authenticated or unauthenticated users into interacting with a malicious link or payload via a phishing vector. No privileges are required (PR:N), but user interaction (UI:R) is necessary, such as clicking a link. Successful exploitation allows execution of arbitrary scripts in the victim's browser context, potentially leading to low-level impacts like session hijacking, data theft, or page manipulation, with scope change (S:C) enabling actions beyond the vulnerable component.
Patchstack provides details on this vulnerability, including mitigation guidance, via their advisory at https://patchstack.com/database/Wordpress/Plugin/wp-frontend-submit/vulnerability/wordpress-indeed-api-plugin-0-5-csrf-to-settings-change-vulnerability-2?_s_id=cve. Security practitioners should update to a patched version if available or apply workarounds as recommended in the advisory.
Details
- CWE(s)