Search criteria
2 vulnerabilities by ione360
CVE-2025-15440 (GCVE-0-2025-15440)
Vulnerability from cvelistv5 – Published: 2026-02-11 08:26 – Updated: 2026-02-11 15:45
VLAI?
Title
iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters
Summary
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ione360 | iONE360 configurator |
Affected:
* , ≤ 2.0.57
(semver)
|
Credits
Bhumividh Treloges
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15440",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T15:41:20.280108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T15:45:21.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iONE360 configurator",
"vendor": "ione360",
"versions": [
{
"lessThanOrEqual": "2.0.57",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T08:26:23.276Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fe87e4-4275-4652-aec1-b25547071796?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L53"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L59"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L63"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ione360-configurator/tags/2.0.57/admin/partials/configurator-ione360-admin-contact-form.php#L69"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-21T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-10T20:07:30.000Z",
"value": "Disclosed"
}
],
"title": "iONE360 configurator \u003c= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15440",
"datePublished": "2026-02-11T08:26:23.276Z",
"dateReserved": "2026-01-02T15:28:09.514Z",
"dateUpdated": "2026-02-11T15:45:21.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32529 (GCVE-0-2025-32529)
Vulnerability from cvelistv5 – Published: 2025-04-17 15:47 – Updated: 2025-04-17 18:26
VLAI?
Title
WordPress iONE360 configurator plugin <= 2.0.56 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iONE360 iONE360 configurator allows Reflected XSS. This issue affects iONE360 configurator: from n/a through 2.0.56.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| iONE360 | iONE360 configurator |
Affected:
n/a , ≤ 2.0.56
(custom)
|
Credits
João Pedro S Alcântara (Kinorth) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T18:06:01.323111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T18:26:13.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ione360-configurator",
"product": "iONE360 configurator",
"vendor": "iONE360",
"versions": [
{
"lessThanOrEqual": "2.0.56",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in iONE360 iONE360 configurator allows Reflected XSS.\u003c/p\u003e\u003cp\u003eThis issue affects iONE360 configurator: from n/a through 2.0.56.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in iONE360 iONE360 configurator allows Reflected XSS. This issue affects iONE360 configurator: from n/a through 2.0.56."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:47:39.316Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/ione360-configurator/vulnerability/wordpress-ione360-configurator-plugin-2-0-56-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress iONE360 configurator plugin \u003c= 2.0.56 - Reflected Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32529",
"datePublished": "2025-04-17T15:47:39.316Z",
"dateReserved": "2025-04-09T11:19:42.423Z",
"dateUpdated": "2025-04-17T18:26:13.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}