Skip to main content

WP Church Center CVE-2025-25157

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:15 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Church Center allows Reflected XSS. This issue affects WP Church Center: from n/a through 1.3.3.

AnalysisAI

Reflected cross-site scripting in WP Church Center plugin (versions ≤1.3.3) enables network-based attackers to execute arbitrary JavaScript in victim browsers without authentication, requiring only that a user click a malicious link. The scope-change vector indicates potential compromise beyond the vulnerable plugin itself. EPSS exploitation probability is low (0.09%, 26th percentile) with no evidence of active exploitation or public proof-of-concept at time of analysis, suggesting this remains a theoretical risk requiring social engineering to weaponize.

Technical ContextAI

WP Church Center is a WordPress plugin integrating Planning Center services into WordPress sites. This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) where user-supplied input reflected in HTTP responses is not adequately sanitized or encoded before output. The reflected XSS variant executes when malicious parameters embedded in URLs are processed and echoed back in the response without proper escaping. The CVSS scope-change metric (S:C) indicates the vulnerability exists in the plugin but can affect resources beyond its security boundary, typical when XSS in a WordPress plugin can access cookies, session tokens, or administrative functions of the parent WordPress installation.

Affected ProductsAI

WordPress WP Church Center plugin developed by NotFound, affecting all versions from initial release through version 1.3.3 inclusive. The vulnerability exists in the WordPress plugin ecosystem requiring WordPress core as a dependency. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/wp-church-center/vulnerability/wordpress-wp-church-center-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability provides detailed affected version confirmation.

RemediationAI

Upgrade WP Church Center plugin to version 1.3.4 or later if available (verify current release version at WordPress.org plugin repository or vendor GitHub). Access the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-church-center/vulnerability/wordpress-wp-church-center-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability to confirm patched version and changelog. If upgrading is not immediately feasible, implement these compensating controls with noted trade-offs: enforce Content Security Policy headers with script-src directives restricting inline script execution (may break legitimate plugin functionality requiring inline scripts - test thoroughly in staging); deploy Web Application Firewall rules filtering common XSS patterns in query parameters and POST bodies (generates false positives if plugin legitimately processes HTML/JavaScript in user inputs); restrict WordPress admin access to VPN-only networks and enforce administrator security awareness training emphasizing link validation (reduces attack surface but doesn't eliminate risk from compromised trusted sources). Note that disabling the plugin entirely eliminates risk but removes all WP Church Center integration functionality.

Share

CVE-2025-25157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy