CVE-2025-23472

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio Flexo Slider flexo-slider allows Reflected XSS.This issue affects Flexo Slider: from n/a through <= 1.0013.

Security Summary

CVE-2025-23472 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the flexostudio Flexo Slider (flexo-slider) WordPress plugin. Published on 2025-03-03, it affects all versions from n/a through 1.0013, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers (PR:N) accessible over the network (AV:N) can exploit this with low attack complexity (AC:L) by tricking users into performing an action such as clicking a malicious link (UI:R). Exploitation changes the scope (S:C) and enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), allowing arbitrary script execution in the context of the victim's browser on affected sites.

The Patchstack advisory provides details on this Reflected XSS vulnerability in WordPress Flexo Slider plugin version 1.0013 and covers mitigation guidance: https://patchstack.com/database/Wordpress/Plugin/flexo-slider/vulnerability/wordpress-flexo-slider-plugin-1-0013-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/flexo-slider/vulnerability/wordpress-flexo-slider-plugin-1-0013-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com