CVE-2025-1232

HIGH
2025-03-19 [email protected]
WordPress XSS Site Reviews PHP
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:32 vuln.today
PoC Detected
May 09, 2025 - 12:00 vuln.today
Public exploit code
CVE Published
Mar 19, 2025 - 06:15 nvd
HIGH 8.8

DescriptionNVD

The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks

AnalysisAI

The Site Reviews WordPress plugin before version 7.2.5 contains a stored XSS vulnerability via review fields. Unauthenticated users can inject malicious scripts through review submissions that execute when administrators view the reviews in the dashboard, enabling admin session hijacking.

Technical ContextAI

Review fields submitted through the public review form are not properly sanitized before storage. When an administrator views reviews in the WordPress dashboard, the injected JavaScript executes in their authenticated browser session. This can steal admin cookies, create backdoor admin accounts, or modify site content.

RemediationAI

Update Site Reviews to 7.2.5 or later. Implement CSP headers that restrict inline script execution. Review stored reviews for suspicious script content. Enable HttpOnly flag on session cookies.

Share

CVE-2025-1232 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy