Skip to main content

Callback Request CVE-2025-25129

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:19 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Callback Request allows Reflected XSS. This issue affects Callback Request: from n/a through 1.4.

AnalysisAI

Reflected cross-site scripting (XSS) in the Callback Request WordPress plugin through version 1.4 allows remote attackers to inject malicious JavaScript by manipulating user-supplied input reflected in web page output without proper sanitization. Exploitation requires victim interaction (UI:R) with a crafted link but needs no authentication (PR:N), enabling attacks via phishing or malicious websites. The changed scope (S:C) indicates potential impact beyond the vulnerable plugin itself. EPSS score of 0.09% (26th percentile) suggests low immediate exploitation risk, and no active exploitation or public POC has been identified at time of analysis.

Technical ContextAI

This vulnerability is a classic reflected XSS (CWE-79) in a WordPress callback/contact form plugin. Reflected XSS occurs when user-supplied data (typically URL parameters or form inputs) is immediately echoed back in the HTTP response without proper encoding or validation. In WordPress plugins handling form submissions or callback requests, common injection points include GET/POST parameters for names, phone numbers, messages, or callback times that are displayed in confirmation messages, error pages, or admin notifications. The vulnerability allows attackers to inject arbitrary HTML and JavaScript that executes in the victim's browser context when they visit a specially crafted URL. The changed scope in the CVSS vector (S:C) indicates the injected code can affect resources beyond the plugin's security boundary, potentially accessing WordPress session cookies, CSRF tokens, or other site data.

Affected ProductsAI

The vulnerability affects the Callback Request plugin for WordPress, all versions from the initial release through version 1.4. This is a WordPress plugin developed by NotFound that provides callback request form functionality for websites. According to Patchstack vulnerability database references, the affected version range is explicitly stated as up to and including version 1.4. Organizations should verify their installed version through the WordPress admin dashboard under Plugins. The specific WordPress platform compatibility versions are not detailed in the available data, but standard WordPress plugin architecture is assumed.

RemediationAI

Check the Callback Request plugin version in WordPress admin dashboard (Plugins section) and upgrade to version 1.4.1 or later if available, though the patched version number is not independently confirmed in the provided references. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/wordpress/plugin/callback-request/vulnerability/wordpress-callback-request-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability for the latest remediation guidance and verified fix version. If no patched version exists or immediate upgrade is not feasible, implement these compensating controls: disable the plugin entirely if callback functionality is not business-critical; restrict plugin access to authenticated users only through WordPress role management; deploy a web application firewall (WAF) with XSS detection rules to filter malicious input in URL parameters and form fields (noting this adds latency and potential false positives); implement Content Security Policy (CSP) headers to restrict inline script execution, though this may break legitimate plugin functionality requiring JavaScript. For callback forms that must remain active, educate users not to click untrusted links containing the site domain with unusual URL parameters.

Share

CVE-2025-25129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy