CVE-2025-25169

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0035 57.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25169 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

SI-15 requires filtering of information outputs to prevent unneutralized user input from executing malicious scripts in the context of the victim's browser during reflected XSS in the WordPress plugin.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of inputs to the Authors Autocomplete Meta Box, blocking malicious payloads before they are reflected in generated web pages.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification and remediation of flaws like CVE-2025-25169, ensuring the vulnerable WordPress plugin is patched to eliminate the XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Reflected XSS in public-facing WordPress plugin enables T1190 (explicitly includes XSS for initial access); arbitrary browser script execution directly facilitates T1539 (steal web session cookies) and T1185 (browser session hijacking).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry Authors Autocomplete Meta Box authors-autocomplete-meta-box allows Reflected XSS.This issue affects Authors Autocomplete Meta Box: from n/a through <= 1.2.

Deeper analysisAI

CVE-2025-25169 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Authors Autocomplete Meta Box WordPress plugin by Rachel Cherry. The flaw affects all versions of the plugin from n/a through 1.2 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges required, though it demands user interaction such as visiting a malicious link or page. Upon successful exploitation, reflected XSS enables arbitrary script execution in the context of the victim's browser on the affected site, resulting in low impacts to confidentiality, integrity, and availability, with a changed scope.

The Patchstack advisory documents this Reflected XSS vulnerability specifically in Authors Autocomplete Meta Box plugin version 1.2 for WordPress.

Details

CWE(s): CWE-79

CVEs Like This One

CVE-2025-0817Shared CWE-79

CVE-2026-24665Shared CWE-79

CVE-2026-32728Shared CWE-79

CVE-2026-2072Shared CWE-79

CVE-2024-55227Shared CWE-79

CVE-2025-25062Shared CWE-79

CVE-2024-51700Shared CWE-79

CVE-2026-27245Shared CWE-79

CVE-2025-22335Shared CWE-79

CVE-2025-68887Shared CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/authors-autocomplete-meta-box/vulnerability/wordpress-authors-autocomplete-meta-box-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com