Skip to main content

All push notification for WP CVE-2025-25092

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gtlwpdev All push notification for WP allows Reflected XSS. This issue affects All push notification for WP: from n/a through 1.5.3.

AnalysisAI

Reflected cross-site scripting (XSS) in All push notification for WP plugin versions through 1.5.3 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. While CVSS rates this 7.1 (High) with changed scope indicating potential token theft or session hijacking beyond the plugin context, EPSS exploitation probability remains low at 0.15% (36th percentile), and no public exploit code or active exploitation (non-KEV) has been identified. Patchstack identified and reported this vulnerability, indicating security research focus on WordPress plugins.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in a WordPress notification plugin where user-supplied input is insufficiently sanitized before being rendered in HTML responses. The plugin processes parameters from incoming HTTP requests and reflects them back in generated web pages without proper output encoding or input validation. The CVSS vector indicates changed scope (S:C), meaning successful exploitation allows the attacker to affect resources beyond the vulnerable component's security scope - in WordPress context, this typically means accessing data or functionality outside the plugin itself, such as WordPress admin session tokens, user cookies, or performing actions with the victim's privileges across the entire WordPress installation.

Affected ProductsAI

WordPress plugin 'All push notification for WP' developed by gtlwpdev, all versions from earliest release through version 1.5.3 inclusive. The vulnerability report from Patchstack (audit@patchstack.com) references this specific version range with no lower bound specified (n/a), indicating the flaw likely exists in the plugin's core input handling architecture present since initial development. Sites running WordPress with this plugin installed and activated are vulnerable. The Patchstack advisory URL is https://patchstack.com/database/wordpress/plugin/all-push-notification/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability?_s_id=cve (note: URL references 'easy-wp-tiles' which may be a database cross-reference error by Patchstack).

RemediationAI

Upgrade All push notification for WP plugin to a patched version newer than 1.5.3 if available through the WordPress plugin repository or vendor. Check the official WordPress plugin page (wordpress.org/plugins/all-push-notification/) or contact developer gtlwpdev for patch availability, as the provided data does not confirm a specific fixed version number. If no patch is released, implement compensating controls: restrict plugin access to only trusted administrator accounts who understand phishing risks, deploy Content Security Policy (CSP) headers with strict script-src directives to prevent inline JavaScript execution (may break legitimate plugin functionality requiring testing), implement Web Application Firewall (WAF) rules to filter reflected input patterns in plugin-specific parameters (requires identifying exact vulnerable parameters from Patchstack technical details), or disable and replace the plugin with alternative push notification solutions. Temporary plugin deactivation eliminates attack surface but removes push notification functionality entirely. Review Patchstack advisory at https://patchstack.com/database/wordpress/plugin/all-push-notification/ for vendor-specific remediation guidance and technical exploitation details.

Share

CVE-2025-25092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy