CVE-2025-23468

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wrenchpilot Essay Wizard (wpCRES) essay-wizard-wpcres allows Reflected XSS.This issue affects Essay Wizard (wpCRES): from n/a through <= 1.0.6.4.

Security Summary

CVE-2025-23468 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Essay Wizard (wpCRES) WordPress plugin developed by wrenchpilot under the essay-wizard-wpcres package. This issue affects all versions of the plugin from its initial release through 1.0.6.4.

The vulnerability can be exploited by remote attackers requiring network access, low attack complexity, no privileges, and user interaction such as following a malicious link. Exploitation enables execution of arbitrary JavaScript in the victim's browser context within the affected site, resulting in low impacts to confidentiality, integrity, and availability, with a changed scope, as scored at 7.1 under CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/essay-wizard-wpcres/vulnerability/wordpress-essay-wizard-wpcres-plugin-1-0-6-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the vulnerability in the WordPress Essay Wizard (wpCRES) plugin version 1.0.6.4.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/essay-wizard-wpcres/vulnerability/wordpress-essay-wizard-wpcres-plugin-1-0-6-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com