How the CVE Works:
CVE-2025-1487 is a Reflected XSS vulnerability in the WoWPth WordPress plugin (versions up to 2.0). The flaw occurs due to improper sanitization of user-supplied input in a parameter, which is then echoed back in the page without escaping. An attacker can craft a malicious URL containing a JavaScript payload, which executes when an administrator or high-privileged user clicks the link. This allows session hijacking, phishing, or unauthorized actions under the victim’s credentials.
DailyCVE Form:
Platform: WordPress
Version: ≤ 2.0
Vulnerability: Reflected XSS
Severity: Medium
Date: 04/09/2025
What Undercode Say:
Exploitation:
1. Craft a malicious URL:
https://victim-site.com/wp-content/plugins/wowpth/page?param=<script>alert(document.cookie)</script>
2. Social-engineer an admin to click the link.
Detection:
Check plugin version via WordPress CLI:
wp plugin list --name=wowpth --field=version