CVE-2025-2479 - Vulnerability Details

- Easy Custom Admin Bar <= 1.0 - Reflected Cross-Site Scripting via msg Parameter

Description

The Easy Custom Admin Bar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: 2025-03-22

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Easy Custom Admin Bar plugin accepts a "msg" query parameter without proper sanitization or escaping. An attacker can embed arbitrary script payloads that are reflected back in the page and executed in the victim’s browser. Because the vulnerability is triggered by a crafted URL, no authentication is required and it can lead to session hijacking, cookie theft, or phishing attempts while the victim is logged into WordPress. The weakness is described by CWE‑79.

Affected Systems

All WordPress sites that use the duogeek Easy Custom Admin Bar plugin, version 1.0 or earlier. No specific WordPress core version is mentioned, so the flaw applies to any installation of the plugin regardless of the surrounding environment.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability. The EPSS score of less than 1 % suggests a very low exploitation probability at present, and the flaw is not listed in CISA’s KEV catalog. Nonetheless, the attack can be launched from any remote web server by creating a URL that the target user clicks on. Because the payload executes in the authenticated context of the victim, the impact on confidentiality, integrity, and availability can be significant once the script is delivered.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

duogeek

Easy Custom Admin Bar

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Easy Custom Admin Bar plugin to the latest version that implements proper input sanitization and output escaping.
If an upgrade is not possible, immediately deactivate or uninstall the plugin to eliminate the vulnerable functionality.
Implement a web‑application‑firewall rule that blocks or sanitizes suspicious "msg" parameters to prevent script injection until a patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7187	The Easy Custom Admin Bar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00467.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/easy-custom-admin-bar/trunk/adminbar.php#L198
https://wordpress.org/plugins/easy-custom-admin-bar/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/140f633c-c2e4-4b3c-befc-d870e06be970?source=cve

History

Mon, 24 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 22 Mar 2025 06:45:00 +0000

Type	Values Removed	Values Added
Description		The Easy Custom Admin Bar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title		Easy Custom Admin Bar <= 1.0 - Reflected Cross-Site Scripting via msg Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/easy-custom-admin-bar/trunk/adminbar.php#L198 https://wordpress.org/plugins/easy-custom-admin-bar/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/140f633c-c2e4-4b3c-befc-d870e06be970?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-22T06:41:09.171Z

Updated: 2026-04-08T16:36:45.166Z

Reserved: 2025-03-17T21:49:38.615Z

Link: CVE-2025-2479

Vulnrichment

Updated: 2025-03-24T14:51:48.103Z

NVD

Status : Deferred

Published: 2025-03-22T07:15:25.123

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2479

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object