Status Updater CVE-2025-25124
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater allows Reflected XSS. This issue affects Status Updater: from n/a through 1.9.2.
AnalysisAI
Reflected cross-site scripting in Status Updater WordPress plugin (versions ≤1.9.2) allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers with changed security context (CVSS scope change). Attack vector is network-based with low complexity but requires user interaction (typically clicking a crafted link). EPSS score of 0.15% (36th percentile) indicates low automated exploitation probability. No CISA KEV listing or public POC identified at time of analysis. Patchstack database entry suggests this may be part of a broader WordPress plugin vulnerability pattern, though reference URLs contain inconsistent metadata (titles reference different plugin 'WP Spell Check' despite CVE being for Status Updater).
Technical ContextAI
This is a CWE-79 reflected cross-site scripting vulnerability in the Status Updater WordPress plugin (also referenced as 'fb-status-updater' in URLs). Reflected XSS occurs when user-supplied data is included in HTTP responses without proper output encoding or sanitization, allowing attackers to inject JavaScript that executes in the victim's browser session. The CVSS scope change (S:C) indicates the vulnerability affects resources beyond the vulnerable component's security scope - in WordPress plugin context, this typically means injected scripts can access WordPress admin session cookies or perform actions across the WordPress installation. The plugin likely fails to sanitize URL parameters or form inputs before reflecting them in HTML output. Affected versions are all releases through 1.9.2, with no lower bound specified in NVD data, suggesting the vulnerability may exist since initial release.
Affected ProductsAI
WordPress Status Updater plugin (also identified as 'fb-status-updater' in repository slugs) versions 1.9.2 and earlier. All prior versions are presumed vulnerable given NVD notation 'from n/a through 1.9.2' indicating no specified lower bound. The plugin is developed by 'devu' per NVD vendor attribution. No CPE data provided in available sources. Patchstack vulnerability database entry available at https://patchstack.com/database/wordpress/plugin/fb-status-updater/ though direct CVE reference URLs contain metadata inconsistencies that require verification.
RemediationAI
Upgrade Status Updater plugin to a patched version above 1.9.2 if available through WordPress.org plugin repository or vendor channels. Check plugin update availability in WordPress admin dashboard (Plugins > Installed Plugins) or directly at wordpress.org/plugins/fb-status-updater/. If no patched version is released or plugin is abandoned, implement these compensating controls: (1) Deactivate and uninstall Status Updater plugin if not business-critical - reflected XSS cannot be exploited if vulnerable code is removed. (2) If plugin must remain active, deploy Web Application Firewall (WAF) rules to block common XSS payloads in URL parameters - note this is signature-based and may be bypassed with encoding techniques. (3) Implement Content Security Policy (CSP) headers with 'script-src self' directive to restrict inline script execution - this prevents injected scripts from running but may break legitimate plugin functionality requiring inline JavaScript. (4) Educate WordPress administrators to avoid clicking untrusted links while logged into admin sessions, and consider browser isolation for administrative access. Consult Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fb-status-updater/ for vendor-specific guidance, though verify metadata accuracy given observed reference inconsistencies.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today