CVE-2025-23531
Published: 27 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in davidfcarr RSVPMaker Volunteer Roles rsvpmaker-volunteer-roles allows Reflected XSS.This issue affects RSVPMaker Volunteer Roles: from n/a through <= 1.5.1.
Security Summary
CVE-2025-23531 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the RSVPMaker Volunteer Roles WordPress plugin (rsvpmaker-volunteer-roles) developed by davidfcarr. This issue affects all versions of the plugin from unknown initial release through 1.5.1.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Unauthenticated attackers can exploit it by crafting payloads reflected in web pages, achieving low impacts on confidentiality, integrity, and availability within a changed scope, potentially allowing session hijacking or script execution in victims' browsers.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/rsvpmaker-volunteer-roles/vulnerability/wordpress-rsvpmaker-volunteer-roles-plugin-1-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS in RSVPMaker Volunteer Roles up to version 1.5.1, with mitigation centered on updating to a patched version of the plugin.
Details
- CWE(s)