All push notification for WP CVE-2025-25092
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gtlwpdev All push notification for WP allows Reflected XSS. This issue affects All push notification for WP: from n/a through 1.5.3.
AnalysisAI
Reflected cross-site scripting (XSS) in All push notification for WP plugin versions through 1.5.3 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. While CVSS rates this 7.1 (High) with changed scope indicating potential token theft or session hijacking beyond the plugin context, EPSS exploitation probability remains low at 0.15% (36th percentile), and no public exploit code or active exploitation (non-KEV) has been identified. Patchstack identified and reported this vulnerability, indicating security research focus on WordPress plugins.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in a WordPress notification plugin where user-supplied input is insufficiently sanitized before being rendered in HTML responses. The plugin processes parameters from incoming HTTP requests and reflects them back in generated web pages without proper output encoding or input validation. The CVSS vector indicates changed scope (S:C), meaning successful exploitation allows the attacker to affect resources beyond the vulnerable component's security scope - in WordPress context, this typically means accessing data or functionality outside the plugin itself, such as WordPress admin session tokens, user cookies, or performing actions with the victim's privileges across the entire WordPress installation.
Affected ProductsAI
WordPress plugin 'All push notification for WP' developed by gtlwpdev, all versions from earliest release through version 1.5.3 inclusive. The vulnerability report from Patchstack (audit@patchstack.com) references this specific version range with no lower bound specified (n/a), indicating the flaw likely exists in the plugin's core input handling architecture present since initial development. Sites running WordPress with this plugin installed and activated are vulnerable. The Patchstack advisory URL is https://patchstack.com/database/wordpress/plugin/all-push-notification/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability?_s_id=cve (note: URL references 'easy-wp-tiles' which may be a database cross-reference error by Patchstack).
RemediationAI
Upgrade All push notification for WP plugin to a patched version newer than 1.5.3 if available through the WordPress plugin repository or vendor. Check the official WordPress plugin page (wordpress.org/plugins/all-push-notification/) or contact developer gtlwpdev for patch availability, as the provided data does not confirm a specific fixed version number. If no patch is released, implement compensating controls: restrict plugin access to only trusted administrator accounts who understand phishing risks, deploy Content Security Policy (CSP) headers with strict script-src directives to prevent inline JavaScript execution (may break legitimate plugin functionality requiring testing), implement Web Application Firewall (WAF) rules to filter reflected input patterns in plugin-specific parameters (requires identifying exact vulnerable parameters from Patchstack technical details), or disable and replace the plugin with alternative push notification solutions. Temporary plugin deactivation eliminates attack surface but removes push notification functionality entirely. Review Patchstack advisory at https://patchstack.com/database/wordpress/plugin/all-push-notification/ for vendor-specific remediation guidance and technical exploitation details.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today