CVE-2025-23431

CVE-2025-23431, published on 2025-02-14, is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Envato Affiliater WordPress plugin by khaninejad (envato-affiliater). It affects all versions of the plugin from n/a through 1.2.4 inclusive, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity, though it requires user interaction such as visiting a maliciously crafted URL. Exploitation reflects attacker-controlled input into web pages without proper neutralization, enabling execution of arbitrary JavaScript in the victim's browser context. This can result in limited impacts to confidentiality, integrity, and availability, particularly with the changed scope allowing potential cross-origin effects like session hijacking or data exfiltration from authenticated users.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/envato-affiliater/vulnerability/wordpress-envato-affiliater-plugin-1-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the issue specifically in Envato Affiliater plugin version 1.2.4 for WordPress. Practitioners should review this reference for detailed mitigation steps, such as plugin updates if available or temporary disabling.