Callback Request CVE-2025-25129
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Callback Request allows Reflected XSS. This issue affects Callback Request: from n/a through 1.4.
AnalysisAI
Reflected cross-site scripting (XSS) in the Callback Request WordPress plugin through version 1.4 allows remote attackers to inject malicious JavaScript by manipulating user-supplied input reflected in web page output without proper sanitization. Exploitation requires victim interaction (UI:R) with a crafted link but needs no authentication (PR:N), enabling attacks via phishing or malicious websites. The changed scope (S:C) indicates potential impact beyond the vulnerable plugin itself. EPSS score of 0.09% (26th percentile) suggests low immediate exploitation risk, and no active exploitation or public POC has been identified at time of analysis.
Technical ContextAI
This vulnerability is a classic reflected XSS (CWE-79) in a WordPress callback/contact form plugin. Reflected XSS occurs when user-supplied data (typically URL parameters or form inputs) is immediately echoed back in the HTTP response without proper encoding or validation. In WordPress plugins handling form submissions or callback requests, common injection points include GET/POST parameters for names, phone numbers, messages, or callback times that are displayed in confirmation messages, error pages, or admin notifications. The vulnerability allows attackers to inject arbitrary HTML and JavaScript that executes in the victim's browser context when they visit a specially crafted URL. The changed scope in the CVSS vector (S:C) indicates the injected code can affect resources beyond the plugin's security boundary, potentially accessing WordPress session cookies, CSRF tokens, or other site data.
Affected ProductsAI
The vulnerability affects the Callback Request plugin for WordPress, all versions from the initial release through version 1.4. This is a WordPress plugin developed by NotFound that provides callback request form functionality for websites. According to Patchstack vulnerability database references, the affected version range is explicitly stated as up to and including version 1.4. Organizations should verify their installed version through the WordPress admin dashboard under Plugins. The specific WordPress platform compatibility versions are not detailed in the available data, but standard WordPress plugin architecture is assumed.
RemediationAI
Check the Callback Request plugin version in WordPress admin dashboard (Plugins section) and upgrade to version 1.4.1 or later if available, though the patched version number is not independently confirmed in the provided references. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/wordpress/plugin/callback-request/vulnerability/wordpress-callback-request-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability for the latest remediation guidance and verified fix version. If no patched version exists or immediate upgrade is not feasible, implement these compensating controls: disable the plugin entirely if callback functionality is not business-critical; restrict plugin access to authenticated users only through WordPress role management; deploy a web application firewall (WAF) with XSS detection rules to filter malicious input in URL parameters and form fields (noting this adds latency and potential false positives); implement Content Security Policy (CSP) headers to restrict inline script execution, though this may break legitimate plugin functionality requiring JavaScript. For callback forms that must remain active, educate users not to click untrusted links containing the site domain with unusual URL parameters.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today