CVE-2025-23437

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0023 45.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nord_tramper ntp-header-images header-images-rotator allows Reflected XSS.This issue affects ntp-header-images: from n/a through <= 1.2.

Security Summary

CVE-2025-23437 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the nord_tramper ntp-header-images header-images-rotator WordPress plugin. This issue affects versions of ntp-header-images from n/a through 1.2 inclusive. The vulnerability was published on 2025-03-03T14:15:34.890 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability can be exploited by remote attackers requiring no privileges or authentication. Exploitation involves tricking a user into interacting with malicious input, such as visiting a crafted URL, which causes the plugin to reflect unsanitized input during web page generation. This executes arbitrary scripts in the victim's browser context, potentially leading to low impacts on confidentiality, integrity, and availability, with a changed scope due to the cross-origin effects.

Mitigation details are available in advisories such as the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/header-images-rotator/vulnerability/wordpress-ntp-header-images-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/header-images-rotator/vulnerability/wordpress-ntp-header-images-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com