CVE-2025-25124

Vulnerability

CVE-2025-25124 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Status Updater (fb-status-updater), affecting versions up to and including 1.9.2. The vulnerability arises from improper neutralization of user-supplied input during web page generation [1].

Exploitation

An attacker can exploit this without prior authentication, but successful exploitation requires user interaction. The victim must click a crafted link, visit a specially prepared page, or submit a form that triggers the reflected XSS payload [1]. The attack can be initiated from any role; however, the action of clicking or visiting is necessary to execute the injected script in the victim's browser.

Impact

Successful exploitation may allow an attacker to inject arbitrary HTML and JavaScript into the affected website's page. This can lead to redirects, injection of advertisements, or other malicious payloads that execute when other users visit the compromised site [1].

Mitigation

Users are strongly advised to update the plugin to the latest patched version as soon as it becomes available. As a temporary measure, Patchstack has released a mitigation rule that blocks attacks until an official patch is applied and tested [1]. Immediate action is recommended as this vulnerability is likely to be used in mass-exploit campaigns.