CVE-2025-23491

CVE-2025-23491, published on 2025-02-03, is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in Vikash Srivastava's VSTEMPLATE Creator WordPress plugin (vstemplate-creator). The issue affects all versions from n/a through 2.0.2. It carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability by crafting malicious inputs that are reflected back in web pages without proper neutralization, tricking users into interacting via phishing links or similar lures. No authentication is required, enabling unauthenticated attackers to target any site running the vulnerable plugin. Successful exploitation allows script injection in the victim's browser context, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of the user, with the changed scope amplifying effects to site users or resources.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/vstemplate-creator/vulnerability/wordpress-vstemplate-creator-plugin-2-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this reflected XSS vulnerability in the VSTEMPLATE Creator WordPress plugin up to version 2.0.2.