CVE-2025-23432

CVE-2025-23432 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the AlT Report WordPress plugin (alt-report) developed by AlTi5. The issue impacts all versions from unknown initial release through 1.12.0. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope.

A remote attacker without authentication can exploit this vulnerability by crafting malicious input that is reflected in dynamically generated web pages. This requires tricking a user, such as an authenticated WordPress administrator, into interacting with the payload, typically via a phishing link or malicious website. Successful exploitation enables script execution in the victim's browser context, potentially leading to low-impact theft of sensitive data like session cookies, low integrity modifications such as defacement, and low availability disruptions, with the changed scope allowing effects beyond the vulnerable component.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/alt-report/vulnerability/wordpress-alt-report-plugin-1-12-0-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability, recommending mitigation through updating to a patched version beyond 1.12.0 where available. Security practitioners should verify plugin updates and apply input sanitization as interim measures.