CVE-2025-23462

CVE-2025-23462 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the FWD Slider (fwd-slider) WordPress plugin developed by Anil Jailta. The flaw affects all versions of the plugin from n/a through 1.0 inclusive, enabling attackers to inject malicious scripts into web pages viewed by other users.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network with low attack complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Remote attackers can trick authenticated or unauthenticated users into triggering the XSS payload, achieving limited impacts on confidentiality, integrity, and availability within a changed scope, such as stealing session cookies, defacing pages, or redirecting users in the victim's browser context.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/fwd-slider/vulnerability/wordpress-fwd-slider-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this Reflected XSS issue in FWD Slider version 1.0, providing details for WordPress administrators to assess exposure and apply recommended mitigations.