CVE-2025-23498

CVE-2025-23498 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Translation.Pro WordPress plugin (translation-pro) developed by ContentLocalized. This issue affects all versions of the plugin up to and including 1.0.0, as published on 2025-01-22.

The vulnerability carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Remote attackers require no privileges and can exploit it over the network with low complexity by tricking authenticated users into interacting with maliciously crafted input, such as a specially crafted link or request. Successful exploitation enables script execution in the victim's browser within the context of the affected site (changed scope), potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking, data theft, or page manipulation.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/translation-pro/vulnerability/wordpress-translation-pro-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS vulnerability in Translation.Pro version 1.0.0 and provides details for mitigation, which security practitioners should consult for patching instructions or workarounds.