Skip to main content

Meta Accelerator CVE-2025-25164

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 25, 2026 - 01:12 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 25, 2026 - 01:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Meta Accelerator allows Reflected XSS. This issue affects Meta Accelerator: from n/a through 1.0.4.

AnalysisAI

Reflected XSS in the Meta Accelerator WordPress plugin through version 1.0.4 enables remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exploits improper input sanitization in web page generation, requiring victim interaction (user must click a malicious link) but no authentication. Changed scope (S:C) indicates potential session hijacking or actions outside the vulnerable component's context. EPSS score of 0.09% (26th percentile) suggests low observed exploitation probability. No CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

This is a reflected (non-persistent) cross-site scripting vulnerability in the Meta Accelerator WordPress plugin, a tool for optimizing metadata delivery. The flaw stems from CWE-79: improper neutralization of user-controlled input during HTML output generation. Affected versions include all releases through 1.0.4 (starting point 'n/a' indicates uncertainty about earliest affected version). Reflected XSS vulnerabilities occur when user-supplied data is echoed back into HTTP responses without proper encoding, allowing attackers to inject malicious scripts that execute in the context of the vulnerable application. The WordPress plugin ecosystem is a common target for XSS attacks due to inconsistent input validation practices across third-party developers.

Affected ProductsAI

The vulnerability affects the Meta Accelerator WordPress plugin maintained by NotFound, specifically all versions from an unspecified starting point through version 1.0.4. According to Patchstack advisory referenced at https://patchstack.com/database/wordpress/plugin/meta-accelerator/vulnerability/wordpress-meta-accelerator-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability, version 1.0.4 is confirmed vulnerable. The lack of a defined lower version bound ('n/a') suggests either all historical versions are affected or version tracking was incomplete during initial disclosure.

RemediationAI

Upgrade the Meta Accelerator WordPress plugin to version 1.0.5 or later if available, following the vendor's update procedures through the WordPress admin dashboard or manual installation. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/meta-accelerator/vulnerability/wordpress-meta-accelerator-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability for vendor-confirmed patch status and release timeline. If immediate patching is not feasible, implement defense-in-depth controls: deploy Web Application Firewall (WAF) rules to block common XSS payloads in HTTP parameters (note: may cause false positives requiring tuning), enforce strict Content Security Policy (CSP) headers to prevent inline script execution (may break legitimate plugin functionality requiring testing), or temporarily disable the Meta Accelerator plugin if its functionality is non-critical to operations. For high-risk environments, consider restricting WordPress admin access to trusted IP ranges and implementing multi-factor authentication to limit damage from potential session hijacking via XSS exploitation.

Share

CVE-2025-25164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy