CVE-2025-15396
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-15396, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-02

Last updated on: 2026-02-02

Assigner: WPScan

Description

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-02
Last Modified
2026-02-02
Generated
2026-07-06
AI Q&A
2026-02-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
library_viewer library_viewer to 3.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-15396 is a Reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Library Viewer versions before 3.2.0. The plugin does not properly sanitize and escape certain URL parameters, specifically 'library-viewer-error-message' and 'library-viewer-success-message', before displaying them on a page. An attacker can craft a URL with malicious JavaScript code in these parameters. When a high-privilege user, such as an administrator, visits this URL, the malicious script executes in their browser, potentially compromising their session or the site. [1]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of a high-privilege user like an administrator. This can lead to session hijacking, unauthorized actions performed on behalf of the admin, theft of sensitive information, or further compromise of the website's security. [1]

Detection Guidance

You can detect this vulnerability by testing if the parameters `library-viewer-error-message` and `library-viewer-success-message` in URLs are vulnerable to reflected XSS. For example, visit URLs like: `http://example.com/page-with-shortcode/?library-viewer-error-message=<img src=x onerror=alert(1)>` or `http://example.com/page-with-shortcode/?library-viewer-success-message=<img src=x onerror=alert(1)>`. If an alert box appears, the vulnerability is present. This manual test can be done using a browser or tools like curl or wget to fetch the page and inspect the response for unsanitized input. Example curl command: `curl -i "http://example.com/page-with-shortcode/?library-viewer-error-message=<img src=x onerror=alert(1)>"` and then check the response for reflected script tags. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Library Viewer WordPress plugin to version 3.2.0 or later, where the issue has been fixed. Additionally, restrict access to the affected pages to trusted users and avoid clicking on suspicious URLs containing the vulnerable parameters until the update is applied. [1]

Compliance Impact

The vulnerability is a Reflected Cross-Site Scripting (XSS) issue that allows execution of arbitrary JavaScript code in the context of high-privilege users such as administrators. Such vulnerabilities can lead to unauthorized access, data leakage, or manipulation of sensitive information.

Because of the potential for unauthorized access and data compromise, this vulnerability could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.

Specifically, failure to properly sanitize inputs and prevent XSS attacks may violate requirements for data integrity, confidentiality, and security controls mandated by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15396. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart