CVE-2025-27275
Published: 03 March 2025
Summary
CVE-2025-27275 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-27275 is an improper neutralization of input during web page generation vulnerability, enabling reflected cross-site scripting (XSS) as classified under CWE-79, in the WordPress plugin WOO Codice Fiscale by andrew_fisher. The issue affects all versions of the plugin from n/a through 1.6.3 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change.
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link that reflects unsanitized input back into the web page. Exploitation occurs in the victim's browser context, allowing limited impacts on confidentiality, integrity, and availability, such as potential theft of session cookies, defacement of pages for the user, or minor disruptions.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-codice-fiscale/vulnerability/wordpress-woo-codice-fiscale-plugin-1-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the WordPress WOO Codice Fiscale plugin version 1.6.3 and provides associated guidance for practitioners.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5604
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andrew_fisher WOO Codice Fiscale woo-codice-fiscale allows Reflected XSS.This issue affects WOO Codice Fiscale: from n/a through <= 1.6.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and JavaScript execution in victim browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 directly mandates filtering information outputs to neutralize untrusted input during web page generation, preventing reflected XSS exploitation.
SI-10 requires validation of information inputs to block malicious payloads that could be reflected as XSS in the WordPress plugin.
SI-2 ensures timely identification, reporting, and correction of flaws like this reflected XSS vulnerability in the plugin through remediation processes.