Login Sign Up

CVE-2025-15440

7.2 HIGH
Cross-Site Scripting

📋 TL;DR

The iONE360 configurator WordPress plugin has a stored XSS vulnerability in its contact form parameters that allows unauthenticated attackers to inject malicious scripts. These scripts execute whenever users access compromised pages, potentially affecting all visitors to vulnerable WordPress sites. All WordPress sites using this plugin up to version 2.0.57 are affected.

💻 Affected Systems

Products:
  • iONE360 configurator WordPress plugin
Versions: All versions up to and including 2.0.57
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the contact form functionality and affects all WordPress installations using the vulnerable plugin versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.

🟠

Likely Case

Attackers will typically inject scripts to steal user session cookies or credentials, redirect users to phishing sites, or display malicious content to visitors.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability would be prevented, and only properly sanitized content would be displayed to users.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and involves simple script injection into contact form parameters that are stored and later displayed without proper escaping.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.0.58 or later

Vendor Advisory: https://wordpress.org/plugins/ione360-configurator/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'iONE360 configurator' and click 'Update Now'. 4. Alternatively, download the latest version from WordPress.org and manually update via FTP.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the iONE360 configurator plugin until patched

wp plugin deactivate ione360-configurator

Remove contact form functionality

all

Remove or disable the contact form features that use the vulnerable parameters

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with XSS protection rules
  • Add Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for iONE360 configurator version 2.0.57 or earlier

Check Version:

wp plugin get ione360-configurator --field=version

Verify Fix Applied:

Verify plugin version is 2.0.58 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to contact form endpoints with script tags or JavaScript code in parameters
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • Incoming requests containing <script> tags or JavaScript in contact form parameters
  • Outbound connections to suspicious domains from your WordPress site

SIEM Query:

source="web_server" AND (uri_path="*contact*" OR uri_path="*configurator*") AND (http_method="POST") AND (request_body="*<script>*" OR request_body="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-15440
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.16% exploit probability (37.3th percentile)
Published: February 11, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15440, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)