CVE-2025-23465
Published: 03 March 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magent Vampire Character Manager vampire-character allows Reflected XSS.This issue affects Vampire Character Manager: from n/a through <= 2.13.
Security Summary
CVE-2025-23465 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Vampire Character Manager WordPress plugin (vampire-character). This issue affects all versions of the plugin from n/a through 2.13 inclusive. The vulnerability was published on 2025-03-03T14:15:36.213 and carries a CVSS v3.1 base score of 7.1.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and resulting in a changed scope (S:C) with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). Any unauthenticated remote attacker can craft malicious input that reflects unsanitized back to users, such as via a phishing link or malicious webpage, executing arbitrary JavaScript in the victim's browser context upon interaction.
Mitigation details are documented in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/vampire-character/vulnerability/wordpress-vampire-character-manager-plugin-2-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which covers the Reflected XSS in the WordPress Vampire Character Manager plugin up to version 2.13.
Details
- CWE(s)