Cyber Resilience

CVE-2025-27271

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0021 43.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27271 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-27271 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the DB Tables Import/Export WordPress plugin by Alberto Cocchiara. The issue affects the plugin from its initial release through version 1.0.1.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), but it requires user interaction (UI:R), such as clicking a malicious link. Exploitation changes the security scope (S:C) and enables low-impact effects on confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1. This allows script execution in the victim's browser context, potentially leading to session hijacking or data theft from authenticated users.

The primary advisory from Patchstack, available at https://patchstack.com/database/Wordpress/Plugin/db-tables-importexport/vulnerability/wordpress-db-tables-import-export-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, documents this WordPress plugin vulnerability and provides details for practitioners to assess and address it.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alberto Cocchiara DB Tables Import/Export db-tables-importexport allows Reflected XSS.This issue affects DB Tables Import/Export: from n/a through <= 1.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing apps (T1190), arbitrary JavaScript execution in browser (T1059.007), and session hijacking via script context (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23722Shared CWE-79
CVE-2025-68874Shared CWE-79
CVE-2025-53231Shared CWE-79
CVE-2026-22524Shared CWE-79
CVE-2025-0521Shared CWE-79
CVE-2025-15440Shared CWE-79
CVE-2025-22766Shared CWE-79
CVE-2026-22867Shared CWE-79
CVE-2025-40587Shared CWE-79
CVE-2022-50905Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information output filtering directly neutralizes unsanitized inputs reflected in web pages, preventing script execution in reflected XSS attacks like CVE-2025-27271.

prevent

Information input validation rejects or sanitizes malicious inputs containing scripts, blocking the root cause of reflected XSS exploitation in the WordPress plugin.

prevent

Flaw remediation ensures timely patching of the specific XSS vulnerability in DB Tables Import/Export plugin versions through 1.0.1.

References