{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2477", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-17T21:17:09.212Z", "datePublished": "2025-03-22T06:41:09.844Z", "dateUpdated": "2026-04-08T16:37:07.508Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:07.508Z"}, "affected": [{"vendor": "cryokey", "product": "CryoKey", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The CryoKey plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018ckemail\u2019 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "CryoKey <= 2.4 - Reflected Cross-Site Scripting via 'ckemail' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1646f96c-f0f4-433a-ac5e-04c1c251972d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cryokey/trunk/cryokey.php#L95"}, {"url": "https://wordpress.org/plugins/cryokey/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-03-21T18:19:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-24T14:51:44.131240Z", "id": "CVE-2025-2477", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-24T15:13:48.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2477", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-24T14:51:44.131240Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-24T14:51:45.467Z"}}], "cna": {"title": "CryoKey <= 2.4 - Reflected Cross-Site Scripting via 'ckemail' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "cryokey", "product": "CryoKey", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-21T18:19:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1646f96c-f0f4-433a-ac5e-04c1c251972d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cryokey/trunk/cryokey.php#L95"}, {"url": "https://wordpress.org/plugins/cryokey/#developers"}], "descriptions": [{"lang": "en", "value": "The CryoKey plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018ckemail\u2019 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:07.508Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2477", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:07.508Z", "dateReserved": "2025-03-17T21:17:09.212Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-22T06:41:09.844Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CryoKey plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018ckemail\u2019 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento CryoKey para WordPress es vulnerable a ataques de Cross-Site Scripting reflejado a trav\u00e9s del par\u00e1metro 'ckemail' en todas las versiones hasta la 2.4 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar al usuario para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2025-2477", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-22T07:15:24.780", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cryokey/trunk/cryokey.php#L95"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/cryokey/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1646f96c-f0f4-433a-ac5e-04c1c251972d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:45:08.350560+00:00", "value": {"mitigation_remediation": ["Upgrade the CryoKey plugin to version 2.5 or later, which removes the vulnerability by sanitizing the 'ckemail' parameter.", "If an immediate upgrade is not possible, implement input validation that restricts the 'ckemail' parameter to a properly formatted email address and strip any script tags before processing.", "Add a Content Security Policy that disallows inline JavaScript and restricts script sources to trusted origins, providing a secondary defense against XSS payloads."], "summary": {"action": "Patch Plugin", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the CryoKey plugin for WordPress, specifically all releases up to and including version 2.4. Systems running these plugin versions, regardless of the host WordPress installation, are susceptible to the flaw.", "description_and_impact": "The CryoKey plugin for WordPress contains a reflected cross\u2011site scripting vulnerability in the 'ckemail' parameter due to insufficient input sanitization and output escaping. An unauthenticated attacker can embed arbitrary JavaScript into a crafted URL, which will execute in the victim\u2019s browser if the user clicks the link. While the flaw does not grant direct code execution or administrative privileges, it allows attackers to steal session cookies, deface content, or load malicious payloads, thereby compromising user confidentiality and integrity.", "risk_and_exploitability": "The CVSS score of 4.7 categorizes the issue as low to moderate severity, and an EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, reflecting its limited exposure. Attackers can exploit the flaw without authentication, but the vector requires social engineering: a malicious link must be clicked by a user who has access to a page that passes the 'ckemail' value to the vulnerable plugin. An attacker could hijack sessions, deliver malware, or compromise user accounts, but the attack is limited to the browsers that load the compromised content."}}}}, "created": "2025-07-12T15:26:08.512071+00:00", "updated": "2026-04-22T17:45:22.928624+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}