Meta Accelerator CVE-2025-25164
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Meta Accelerator allows Reflected XSS. This issue affects Meta Accelerator: from n/a through 1.0.4.
AnalysisAI
Reflected XSS in the Meta Accelerator WordPress plugin through version 1.0.4 enables remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exploits improper input sanitization in web page generation, requiring victim interaction (user must click a malicious link) but no authentication. Changed scope (S:C) indicates potential session hijacking or actions outside the vulnerable component's context. EPSS score of 0.09% (26th percentile) suggests low observed exploitation probability. No CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
This is a reflected (non-persistent) cross-site scripting vulnerability in the Meta Accelerator WordPress plugin, a tool for optimizing metadata delivery. The flaw stems from CWE-79: improper neutralization of user-controlled input during HTML output generation. Affected versions include all releases through 1.0.4 (starting point 'n/a' indicates uncertainty about earliest affected version). Reflected XSS vulnerabilities occur when user-supplied data is echoed back into HTTP responses without proper encoding, allowing attackers to inject malicious scripts that execute in the context of the vulnerable application. The WordPress plugin ecosystem is a common target for XSS attacks due to inconsistent input validation practices across third-party developers.
Affected ProductsAI
The vulnerability affects the Meta Accelerator WordPress plugin maintained by NotFound, specifically all versions from an unspecified starting point through version 1.0.4. According to Patchstack advisory referenced at https://patchstack.com/database/wordpress/plugin/meta-accelerator/vulnerability/wordpress-meta-accelerator-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability, version 1.0.4 is confirmed vulnerable. The lack of a defined lower version bound ('n/a') suggests either all historical versions are affected or version tracking was incomplete during initial disclosure.
RemediationAI
Upgrade the Meta Accelerator WordPress plugin to version 1.0.5 or later if available, following the vendor's update procedures through the WordPress admin dashboard or manual installation. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/meta-accelerator/vulnerability/wordpress-meta-accelerator-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability for vendor-confirmed patch status and release timeline. If immediate patching is not feasible, implement defense-in-depth controls: deploy Web Application Firewall (WAF) rules to block common XSS payloads in HTTP parameters (note: may cause false positives requiring tuning), enforce strict Content Security Policy (CSP) headers to prevent inline script execution (may break legitimate plugin functionality requiring testing), or temporarily disable the Meta Accelerator plugin if its functionality is non-critical to operations. For high-risk environments, consider restricting WordPress admin access to trusted IP ranges and implementing multi-factor authentication to limit damage from potential session hijacking via XSS exploitation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today