CVE-2025-23433

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0023 45.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jnwry vcOS vcos allows Reflected XSS.This issue affects vcOS: from n/a through <= 1.4.0.

Security Summary

CVE-2025-23433 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Cross-site Scripting (CWE-79), that enables Reflected XSS in the jnwry vcOS WordPress plugin (vcos). Published on 2025-03-03, it affects vcOS versions from n/a through 1.4.0.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed for exploitation. Unauthenticated attackers can deliver malicious payloads via reflected inputs, tricking victims into executing scripts in their browsers, potentially leading to limited impacts on confidentiality, integrity, and availability with a changed scope.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/vcos/vulnerability/wordpress-vcos-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the issue in the WordPress vcOS plugin version 1.4.0 and provides details for practitioners to assess mitigation, such as applying available updates or input validation workarounds.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/vcos/vulnerability/wordpress-vcos-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com