CVE-2025-23429

CVE-2025-23429 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as reflected Cross-site Scripting (XSS, CWE-79), in the Altima Lookbook Free for WooCommerce WordPress plugin by altima-interactive. Published on 2025-01-16, it affects all versions of the plugin from n/a through 1.1.0.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable remotely over the network by unauthenticated attackers with low complexity, though it requires user interaction such as clicking a malicious link. Successful exploitation allows injection and execution of arbitrary JavaScript in the victim's browser, enabling low-impact confidentiality, integrity, and availability effects with changed scope, such as session hijacking or data exfiltration from the targeted user.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/altima-lookbook-free-for-woocommerce/vulnerability/wordpress-altima-lookbook-free-for-woocommerce-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve documents the issue in detail for WordPress plugin users. Mitigation guidance from such advisories typically recommends updating to a version beyond 1.1.0 or disabling the plugin if no patch is available.