CVE-2025-23524

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0023 45.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dactum ClickBank Storefront mycbgenie-clickbank-storefront allows Reflected XSS.This issue affects ClickBank Storefront: from n/a through <= 1.7.

Security Summary

CVE-2025-23524 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (CWE-79), in the dactum ClickBank Storefront WordPress plugin (mycbgenie-clickbank-storefront). This issue affects all versions of the plugin from unknown initial release through 1.7 inclusive.

The vulnerability can be exploited by remote attackers with network access, requiring low attack complexity, no privileges, and user interaction such as clicking a malicious link. Exploitation changes the security scope and enables arbitrary script execution in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability, with an overall CVSS v3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Patchstack's advisory (https://patchstack.com/database/Wordpress/Plugin/mycbgenie-clickbank-storefront/vulnerability/wordpress-clickbank-storefront-wordpress-plugin-plugin-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability in the WordPress ClickBank Storefront plugin up to version 1.7.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/mycbgenie-clickbank-storefront/vulnerability/wordpress-clickbank-storefront-wordpress-plugin-plugin-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com