CVE-2025-15440 in iONE360 Configurator Plugin
Summary
by MITRE • 02/11/2026
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/12/2026
The iONE360 configurator plugin for WordPress represents a significant security vulnerability that affects versions up to and including 2.0.57, exposing WordPress installations to stored cross-site scripting attacks. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's contact form parameters handling functionality. The flaw allows unauthenticated attackers to inject malicious scripts that persist in the application's database and execute whenever legitimate users access affected pages, creating a persistent threat vector that can compromise user sessions and data integrity.
The technical implementation of this vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically classified as stored XSS due to the persistence of malicious payloads within the application's data storage. The vulnerability manifests when the plugin fails to properly sanitize user-supplied input from contact form parameters before storing and rendering this data in web pages. This inadequate sanitization creates an environment where attackers can embed malicious JavaScript code within form fields that gets executed in the context of other users' browsers when they view the affected pages. The attack vector operates without requiring authentication, making it particularly dangerous as it can exploit any user who accesses pages containing the injected scripts.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform session hijacking, steal sensitive user information, manipulate website content, or redirect users to malicious sites. When legitimate users access pages containing the stored malicious scripts, their browsers execute the injected code in the context of the vulnerable website, potentially allowing attackers to access cookies, session tokens, or other sensitive data. This threat is particularly concerning for WordPress installations that rely on the iONE360 plugin for contact form functionality, as the attack can occur simply through normal website navigation without any special interaction from the victim.
Security mitigations for this vulnerability should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement comprehensive input validation mechanisms that strip or encode potentially malicious content before storage, while ensuring proper output escaping when rendering user-supplied data in web contexts. Additionally, implementing content security policies and regular security scanning of plugin installations can help detect and prevent similar vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1059.007 for Scripting and T1566.001 for Spearphishing Attachment, highlighting the need for layered defensive measures including network monitoring, user education, and regular security assessments to prevent exploitation of such persistent threats.