CVE-2025-15396
BaseFortify
Publication date: 2026-02-02
Last updated on: 2026-02-02
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| library_viewer | library_viewer | to 3.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Reflected Cross-Site Scripting (XSS) issue that allows execution of arbitrary JavaScript code in the context of high-privilege users such as administrators. Such vulnerabilities can lead to unauthorized access, data leakage, or manipulation of sensitive information.
Because of the potential for unauthorized access and data compromise, this vulnerability could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.
Specifically, failure to properly sanitize inputs and prevent XSS attacks may violate requirements for data integrity, confidentiality, and security controls mandated by these regulations.
Can you explain this vulnerability to me?
CVE-2025-15396 is a Reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Library Viewer versions before 3.2.0. The plugin does not properly sanitize and escape certain URL parameters, specifically 'library-viewer-error-message' and 'library-viewer-success-message', before displaying them on a page. An attacker can craft a URL with malicious JavaScript code in these parameters. When a high-privilege user, such as an administrator, visits this URL, the malicious script executes in their browser, potentially compromising their session or the site. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of a high-privilege user like an administrator. This can lead to session hijacking, unauthorized actions performed on behalf of the admin, theft of sensitive information, or further compromise of the website's security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by testing if the parameters `library-viewer-error-message` and `library-viewer-success-message` in URLs are vulnerable to reflected XSS. For example, visit URLs like: `http://example.com/page-with-shortcode/?library-viewer-error-message=<img src=x onerror=alert(1)>` or `http://example.com/page-with-shortcode/?library-viewer-success-message=<img src=x onerror=alert(1)>`. If an alert box appears, the vulnerability is present. This manual test can be done using a browser or tools like curl or wget to fetch the page and inspect the response for unsanitized input. Example curl command: `curl -i "http://example.com/page-with-shortcode/?library-viewer-error-message=<img src=x onerror=alert(1)>"` and then check the response for reflected script tags. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Library Viewer WordPress plugin to version 3.2.0 or later, where the issue has been fixed. Additionally, restrict access to the affected pages to trusted users and avoid clicking on suspicious URLs containing the vulnerable parameters until the update is applied. [1]