CVE-2025-23489

High

Published: 21 January 2025

Published

21 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0018 38.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Messenlehner WP-Announcements wp-announcements allows Reflected XSS.This issue affects WP-Announcements: from n/a through <= 1.8.

Security Summary

CVE-2025-23489 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as CWE-79, that enables Reflected Cross-site Scripting (XSS) in the WP-Announcements WordPress plugin developed by Brian Messenlehner. This issue affects all versions of the plugin from n/a through 1.8 inclusive, as published on 2025-01-21.

The vulnerability can be exploited by remote attackers requiring no privileges over the network with low attack complexity, though user interaction is necessary. Exploitation changes the scope and results in low impacts to confidentiality, integrity, and availability, yielding a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Attackers can leverage reflected XSS to inject malicious payloads via user-supplied input reflected in web pages.

Patchstack has documented this reflected XSS vulnerability specific to WP-Announcements plugin version 1.8 in their WordPress plugin database.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/wp-announcements/vulnerability/wordpress-wp-announcements-plugin-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com