CVE-2025-23454

CVE-2025-23454 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the flashmaniac Nature FlipBook WordPress plugin (vertical-diamond-flipbook-flash). This issue affects all versions of the plugin from n/a through 1.7 inclusive. The vulnerability was published on 2025-01-21 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link. Exploitation changes the security scope, enabling limited impacts on confidentiality, integrity, and availability. In practice, this allows reflected XSS payloads to execute in the victim's browser context, potentially leading to session hijacking, data theft, or other client-side attacks against authenticated users.

The Patchstack advisory documents this Reflected XSS vulnerability specifically in Nature FlipBook WordPress plugin version 1.7 and provides vulnerability details for the vertical-diamond-flipbook-flash component. Security practitioners should review the advisory at https://patchstack.com/database/Wordpress/Plugin/vertical-diamond-flipbook-flash/vulnerability/wordpress-nature-flipbook-wordpress-plugin-plugin-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation recommendations, such as plugin updates or configuration changes.