CVE-2025-23459

CVE-2025-23459 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the NsThemes NS Simple Intro Loader (ns-simple-intro-loader) WordPress plugin. This issue impacts all versions from n/a through 2.2.3. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope.

Remote attackers without authentication can exploit this vulnerability by crafting malicious input that is reflected in dynamically generated web pages, tricking users into interacting with it, such as clicking a malicious link. Successful exploitation allows script execution in the context of the victim's browser, potentially leading to low-impact confidentiality breaches (e.g., session token theft), integrity modifications (e.g., page alterations), and availability disruptions, amplified by the cross-origin scope change.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ns-simple-intro-loader/vulnerability/wordpress-ns-simple-intro-loader-plugin-2-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this Reflected XSS vulnerability in NS Simple Intro Loader version 2.2.3. Security practitioners should consult this reference for specific mitigation guidance, such as plugin updates if available.