{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15440", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-02T15:28:09.514Z", "datePublished": "2026-02-11T08:26:23.276Z", "dateUpdated": "2026-04-08T16:32:47.068Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:47.068Z"}, "affected": [{"vendor": "ione360", "product": "iONE360 configurator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.57", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fe87e4-4275-4652-aec1-b25547071796?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L59"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L66"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L69"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "timeline": [{"time": "2025-12-21T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-10T20:07:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:41:20.280108Z", "id": "CVE-2025-15440", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:45:21.419Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15440", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:41:20.280108Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:41:20.989Z"}}], "cna": {"title": "iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters", "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ione360", "product": "iONE360 configurator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.57"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-21T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-10T20:07:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fe87e4-4275-4652-aec1-b25547071796?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L53"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L59"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L66"}, {"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L69"}], "descriptions": [{"lang": "en", "value": "The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:47.068Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15440", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:47.068Z", "dateReserved": "2026-01-02T15:28:09.514Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-11T08:26:23.276Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin configurador iONE360 para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de los par\u00e1metros del formulario de contacto en todas las versiones hasta la 2.0.57, inclusive, debido a la sanitizaci\u00f3n insuficiente de la entrada y al escape de la salida. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-15440", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-11T09:15:50.457", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L53"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L56"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L59"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L66"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L69"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fe87e4-4275-4652-aec1-b25547071796?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.57]"}}], "product": "ione360__configurator", "vendor": "ione360"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T15:29:51.489972+00:00", "value": {"mitigation_remediation": ["Upgrade the iONE360 configurator plugin to version 2.0.58 or later, where the stored XSS issue has been fixed.", "If upgrading is not immediately possible, disable or remove the contact form feature, or restrict its use to authenticated users only.", "Implement proper input sanitization and output escaping on the contact form fields, and review other plugins for similar weaknesses."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the iONE360 configurator plugin for WordPress with a version of 2.0.57 or earlier are affected. The flaw exists across all releases up to and including 2.0.57.", "description_and_impact": "The iONE360 configurator plugin for WordPress suffers from insufficient input sanitization and output escaping in its contact form, allowing unauthenticated attackers to embed arbitrary JavaScript that is stored and later served to users. This stored cross\u2011site scripting flaw can lead to session hijacking, credential theft, or defacement of pages viewed by unsuspecting visitors. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by submitting malicious input via the public contact form without any authentication, resulting in scripts being executed for any user who visits the affected page."}}}}, "created": "2026-02-11T21:46:07.890538+00:00", "updated": "2026-04-22T15:30:20.784597+00:00", "vendors": ["ione360", "ione360$PRODUCT$ione360__configurator", "wordpress", "wordpress$PRODUCT$wordpress"]}