Skip to main content

Authors Autocomplete Meta Box CVE-2025-25169

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:10 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Authors Autocomplete Meta Box allows Reflected XSS. This issue affects Authors Autocomplete Meta Box: from n/a through 1.2.

AnalysisAI

Reflected cross-site scripting (XSS) in Authors Autocomplete Meta Box WordPress plugin versions up to 1.2 allows remote attackers to execute arbitrary JavaScript in victim browsers. Exploitation requires user interaction - a logged-in administrator or editor must click a malicious link. While CVSS rates this 7.1 (High) due to changed scope, the EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No active exploitation confirmed; no CISA KEV listing.

Technical ContextAI

This is a WordPress plugin vulnerability affecting Authors Autocomplete Meta Box through version 1.2. The plugin provides autocomplete functionality for selecting post authors in the WordPress admin interface. The vulnerability stems from improper output encoding (CWE-79) when rendering user-controlled input in dynamically generated web pages. Input provided via URL parameters or form fields is reflected back into the HTML response without adequate sanitization, allowing injection of malicious JavaScript. The CVSS vector indicates network-based attack delivery (AV:N), low complexity (AC:L), no privileges required (PR:N), but mandatory user interaction (UI:R), with changed scope (S:C) meaning the vulnerable component and impacted component are different - typical for XSS where the plugin code is vulnerable but the victim's browser session is compromised.

Affected ProductsAI

WordPress Authors Autocomplete Meta Box plugin versions 1.2 and earlier are confirmed vulnerable per Patchstack advisory. The vulnerability affects all installations of these versions regardless of WordPress core version. Specific CPE data not provided in available intelligence. Vendor advisory and technical details available at Patchstack database reference https://patchstack.com/database/wordpress/plugin/authors-autocomplete-meta-box/vulnerability/wordpress-authors-autocomplete-meta-box-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability.

RemediationAI

No vendor-released patch identified at time of analysis. Patchstack advisory does not list a fixed version beyond 1.2. Recommended immediate actions: (1) Check for plugin updates through WordPress admin dashboard and apply if available since initial analysis; (2) If no update exists, disable and remove Authors Autocomplete Meta Box plugin if not business-critical; (3) If plugin must remain active, implement compensating controls: restrict WordPress admin access to trusted IP ranges via firewall rules or .htaccess (trade-off: limits legitimate remote admin access), enforce strong Content Security Policy headers to mitigate XSS execution (trade-off: may break legitimate inline scripts), and educate WordPress administrators not to click untrusted links while authenticated (trade-off: relies on user behavior). Monitor Patchstack advisory at provided reference URL for patch release notifications. Consider alternative author selection plugins with active maintenance and security track records.

Share

CVE-2025-25169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy