Authors Autocomplete Meta Box CVE-2025-25169
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Authors Autocomplete Meta Box allows Reflected XSS. This issue affects Authors Autocomplete Meta Box: from n/a through 1.2.
AnalysisAI
Reflected cross-site scripting (XSS) in Authors Autocomplete Meta Box WordPress plugin versions up to 1.2 allows remote attackers to execute arbitrary JavaScript in victim browsers. Exploitation requires user interaction - a logged-in administrator or editor must click a malicious link. While CVSS rates this 7.1 (High) due to changed scope, the EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No active exploitation confirmed; no CISA KEV listing.
Technical ContextAI
This is a WordPress plugin vulnerability affecting Authors Autocomplete Meta Box through version 1.2. The plugin provides autocomplete functionality for selecting post authors in the WordPress admin interface. The vulnerability stems from improper output encoding (CWE-79) when rendering user-controlled input in dynamically generated web pages. Input provided via URL parameters or form fields is reflected back into the HTML response without adequate sanitization, allowing injection of malicious JavaScript. The CVSS vector indicates network-based attack delivery (AV:N), low complexity (AC:L), no privileges required (PR:N), but mandatory user interaction (UI:R), with changed scope (S:C) meaning the vulnerable component and impacted component are different - typical for XSS where the plugin code is vulnerable but the victim's browser session is compromised.
Affected ProductsAI
WordPress Authors Autocomplete Meta Box plugin versions 1.2 and earlier are confirmed vulnerable per Patchstack advisory. The vulnerability affects all installations of these versions regardless of WordPress core version. Specific CPE data not provided in available intelligence. Vendor advisory and technical details available at Patchstack database reference https://patchstack.com/database/wordpress/plugin/authors-autocomplete-meta-box/vulnerability/wordpress-authors-autocomplete-meta-box-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
No vendor-released patch identified at time of analysis. Patchstack advisory does not list a fixed version beyond 1.2. Recommended immediate actions: (1) Check for plugin updates through WordPress admin dashboard and apply if available since initial analysis; (2) If no update exists, disable and remove Authors Autocomplete Meta Box plugin if not business-critical; (3) If plugin must remain active, implement compensating controls: restrict WordPress admin access to trusted IP ranges via firewall rules or .htaccess (trade-off: limits legitimate remote admin access), enforce strong Content Security Policy headers to mitigate XSS execution (trade-off: may break legitimate inline scripts), and educate WordPress administrators not to click untrusted links while authenticated (trade-off: relies on user behavior). Monitor Patchstack advisory at provided reference URL for patch release notifications. Consider alternative author selection plugins with active maintenance and security track records.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today