Skip to main content

Status Updater CVE-2025-25124

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:21 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater allows Reflected XSS. This issue affects Status Updater: from n/a through 1.9.2.

AnalysisAI

Reflected cross-site scripting in Status Updater WordPress plugin (versions ≤1.9.2) allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers with changed security context (CVSS scope change). Attack vector is network-based with low complexity but requires user interaction (typically clicking a crafted link). EPSS score of 0.15% (36th percentile) indicates low automated exploitation probability. No CISA KEV listing or public POC identified at time of analysis. Patchstack database entry suggests this may be part of a broader WordPress plugin vulnerability pattern, though reference URLs contain inconsistent metadata (titles reference different plugin 'WP Spell Check' despite CVE being for Status Updater).

Technical ContextAI

This is a CWE-79 reflected cross-site scripting vulnerability in the Status Updater WordPress plugin (also referenced as 'fb-status-updater' in URLs). Reflected XSS occurs when user-supplied data is included in HTTP responses without proper output encoding or sanitization, allowing attackers to inject JavaScript that executes in the victim's browser session. The CVSS scope change (S:C) indicates the vulnerability affects resources beyond the vulnerable component's security scope - in WordPress plugin context, this typically means injected scripts can access WordPress admin session cookies or perform actions across the WordPress installation. The plugin likely fails to sanitize URL parameters or form inputs before reflecting them in HTML output. Affected versions are all releases through 1.9.2, with no lower bound specified in NVD data, suggesting the vulnerability may exist since initial release.

Affected ProductsAI

WordPress Status Updater plugin (also identified as 'fb-status-updater' in repository slugs) versions 1.9.2 and earlier. All prior versions are presumed vulnerable given NVD notation 'from n/a through 1.9.2' indicating no specified lower bound. The plugin is developed by 'devu' per NVD vendor attribution. No CPE data provided in available sources. Patchstack vulnerability database entry available at https://patchstack.com/database/wordpress/plugin/fb-status-updater/ though direct CVE reference URLs contain metadata inconsistencies that require verification.

RemediationAI

Upgrade Status Updater plugin to a patched version above 1.9.2 if available through WordPress.org plugin repository or vendor channels. Check plugin update availability in WordPress admin dashboard (Plugins > Installed Plugins) or directly at wordpress.org/plugins/fb-status-updater/. If no patched version is released or plugin is abandoned, implement these compensating controls: (1) Deactivate and uninstall Status Updater plugin if not business-critical - reflected XSS cannot be exploited if vulnerable code is removed. (2) If plugin must remain active, deploy Web Application Firewall (WAF) rules to block common XSS payloads in URL parameters - note this is signature-based and may be bypassed with encoding techniques. (3) Implement Content Security Policy (CSP) headers with 'script-src self' directive to restrict inline script execution - this prevents injected scripts from running but may break legitimate plugin functionality requiring inline JavaScript. (4) Educate WordPress administrators to avoid clicking untrusted links while logged into admin sessions, and consider browser isolation for administrative access. Consult Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fb-status-updater/ for vendor-specific guidance, though verify metadata accuracy given observed reference inconsistencies.

Share

CVE-2025-25124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy