CVE-2025-25129

Vulnerability

Overview The Callback Request plugin for WordPress, in all versions up to and including 1.4, suffers from a reflected cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, meaning the plugin fails to sanitize or escape parameters before reflecting them in the HTML response. This allows an attacker to inject arbitrary JavaScript or HTML that executes in the browser of a victim who visits a crafted link [1].

Exploitation

Attackers can exploit this vulnerability by constructing a malicious URL that includes a payload in a query parameter. No authentication is required to trigger the reflection, but the attack does require user interaction: the target must click the crafted link or visit a page containing it. The vulnerability is classified as reflected XSS, so the payload is not stored on the server but delivered immediately via the HTTP response. This type of flaw is commonly used in mass-exploit campaigns targeting WordPress sites, regardless of their size or popularity [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts into the victim's browser context. Potential actions include redirecting users to phishing pages, displaying unauthorized ads, stealing session cookies, or performing other actions that the victim's browser can execute. The CVSS score of 7.1 (High) reflects the moderate complexity and the need for user interaction, but the potential for broad automated attacks elevates the real-world risk [1].

Mitigation

As immediate action, administrators should update the Callback Request plugin to the latest patched version once available. Patchstack has issued a mitigation rule that blocks attacks until an official patch is released. Users unable to update should consult their hosting provider or web developer for assistance [1].