CVE-2025-23438

CVE-2025-23438 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the WP PT-Viewer WordPress plugin developed by Vincent Mimoun-Prat. The issue impacts all versions of the plugin from n/a through 2.0.2 inclusive. It has a CVSS v3.1 base score of 7.1, reflecting a high-severity rating due to its network accessibility, low complexity, lack of required privileges, user interaction dependency, and scope change with low impacts on confidentiality, integrity, and availability.

A remote, unauthenticated attacker can exploit this vulnerability by crafting malicious input that is reflected in the generated web page without proper neutralization. The attack requires a victim user, such as a site visitor or administrator, to interact with the malicious payload, typically via a phishing link or similar vector. Successful exploitation allows the attacker to execute arbitrary scripts in the victim's browser context, potentially leading to session hijacking, data theft, or further site compromise within the changed scope.

Patchstack has published an advisory detailing the vulnerability at https://patchstack.com/database/Wordpress/Plugin/wp-ptviewer/vulnerability/wordpress-wp-pt-viewer-plugin-2-0-2-reflected-xss-vulnerability?_s_id=cve, which security practitioners should consult for specific mitigation guidance, such as updating to a patched version if available or applying workarounds.