CVE-2025-25092: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in the WordPress plugin 'All push notification for WP' affecting versions through 1.5.3. The vulnerability was reported by security researcher Dimas Maulana on October 30, 2024, and was officially published on February 3, 2025, receiving the identifier CVE-2025-25092 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) that allows for Reflected XSS attacks. It received a CVSS v3.1 score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating that it can be exploited remotely with low attack complexity and requires no privileges, though user interaction is needed (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects and advertisements, as well as other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

No official fix is currently available as the software appears to be abandoned, having not been updated for over a year. Users are strongly advised to remove and replace the plugin. Alternatively, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).