CVE-2025-23478

CVE-2025-23478 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the cmsaccount Photo Video Store WordPress plugin (photo-video-store). The issue impacts all versions from n/a through 21.07 and was published on 2025-03-03. It carries a CVSS v3.1 base score of 7.1, reflecting network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts to confidentiality, integrity, and availability.

Remote attackers require no authentication (PR:N) and can exploit the vulnerability by crafting malicious inputs that are reflected back in web page generation, tricking users into clicking links or visiting pages (UI:R). Exploitation executes arbitrary scripts in the victim's browser context (S:C), enabling theft of session cookies, keystroke logging, or minor defacement, with limited overall impact due to the low confidentiality, integrity, and availability ratings.

Mitigation details are available in advisories such as the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/photo-video-store/vulnerability/wordpress-photo-video-store-plugin-21-07-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which documents the Reflected XSS in the WordPress Photo Video Store plugin version 21.07.