Cross-site Scripting Vulnerability in All Push Notification for WP by gtlwpdev
CVE-2025-25092
7.1HIGH
Summary
A cross-site scripting (XSS) vulnerability exists in All Push Notification for WP by gtlwpdev, allowing attackers to inject malicious scripts into web pages viewed by users. This vulnerability is triggered during web page generation, leading to reflected XSS attacks that could compromise user data or perform unauthorized actions. The issue affects all versions of All Push Notification for WP up to and including 1.5.3, necessitating immediate security measures to protect users from potential exploitation.
Affected Version(s)
All push notification for WP <= 1.5.3
References
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Dimas Maulana (Patchstack Alliance)