CVE-2025-23525

CVE-2025-23525 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Kv Compose Email From Dashboard (kv-send-email-from-admin) by kvvaradha. This issue affects all versions from n/a through 1.1 inclusive. Published on 2025-02-14, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and scope change with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability over the network by crafting malicious input that is reflected without proper neutralization during web page generation in the plugin's email composition functionality from the dashboard. Exploitation requires tricking a user, typically an administrator, into interacting with the payload, such as clicking a malicious link. Successful attacks enable script execution in the victim's browser context, potentially allowing limited theft of sensitive data, modification of page content, or minor disruptions.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/kv-send-email-from-admin/vulnerability/wordpress-kv-compose-email-from-dashboard-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this Reflected XSS in plugin version 1.1; security practitioners should consult it for recommended mitigations, such as updating to a patched version if available or applying input sanitization workarounds.