Vulnerability-Lookup - Search a vulnerability

Refine your search

Product

Sort by

Order

Sources

CVE-2025-15440 (GCVE-0-2025-15440)

Vulnerability from cvelistv5

Published

2026-02-11 08:26

Modified

2026-04-08 16:32

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

URL

Tags

	https://www.wordfence.com/threat-intel/vulnerabilities/id/02fe87e4-4275-4652-aec1-b25547071796?source=cve
	https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L50
	https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L53
	https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L56
	https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L59
	https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L60
	https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L63
	https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L66
	https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L69

Impacted products

	Vendor	Product	Version
	ione360	iONE360 configurator	Version: 0 ≤ 2.0.57

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15440",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T15:41:20.280108Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T15:45:21.419Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "iONE360  configurator",
          "vendor": "ione360",
          "versions": [
            {
              "lessThanOrEqual": "2.0.57",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bhumividh Treloges"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The iONE360  configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:32:47.068Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fe87e4-4275-4652-aec1-b25547071796?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L50"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L53"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L56"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L59"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L60"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L63"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L66"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L69"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-21T00:00:00.000Z",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2026-02-10T20:07:30.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "iONE360 configurator \u003c= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-15440",
    "datePublished": "2026-02-11T08:26:23.276Z",
    "dateReserved": "2026-01-02T15:28:09.514Z",
    "dateUpdated": "2026-04-08T16:32:47.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-32529 (GCVE-0-2025-32529)

Vulnerability from cvelistv5

Published

2025-04-17 15:47

Modified

2026-04-28 16:12

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iONE360 iONE360 configurator ione360-configurator allows Reflected XSS.This issue affects iONE360 configurator: from n/a through <= 2.0.57.

References

URL

Tags

https://patchstack.com/database/Wordpress/Plugin/ione360-configurator/vulnerability/wordpress-ione360-configurator-plugin-2-0-56-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

vdb-entry

Impacted products

	Vendor	Product	Version
	iONE360	iONE360 configurator	Version: 0 <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32529",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T18:06:01.323111Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T18:26:13.250Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ione360-configurator",
          "product": "iONE360 configurator",
          "vendor": "iONE360",
          "versions": [
            {
              "lessThanOrEqual": "2.0.57",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:38:38.154Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in iONE360 iONE360 configurator ione360-configurator allows Reflected XSS.\u003cp\u003eThis issue affects iONE360 configurator: from n/a through \u003c= 2.0.57.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in iONE360 iONE360 configurator ione360-configurator allows Reflected XSS.This issue affects iONE360 configurator: from n/a through \u003c= 2.0.57."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "Reflected XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:12:23.714Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ione360-configurator/vulnerability/wordpress-ione360-configurator-plugin-2-0-56-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress iONE360 configurator plugin \u003c= 2.0.57 - Reflected Cross Site Scripting (XSS) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-32529",
    "datePublished": "2025-04-17T15:47:39.316Z",
    "dateReserved": "2025-04-09T11:19:42.423Z",
    "dateUpdated": "2026-04-28T16:12:23.714Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Refine your search

2 vulnerabilities found for by iONE360

CVE-2025-15440 (GCVE-0-2025-15440)

Vulnerability from cvelistv5

CVE-2025-32529 (GCVE-0-2025-32529)

Vulnerability from cvelistv5