CVE-2025-23541

High

Published: 23 January 2025

Published

23 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0018 38.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in edmon.parker Download, Downloads ydn-download allows Reflected XSS.This issue affects Download, Downloads : from n/a through <= 1.4.2.

Security Summary

CVE-2025-23541 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin "Download, Downloads" (ydn-download) by edmon.parker. This issue affects all versions of the plugin from n/a through 1.4.2 inclusive.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed, with changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted input reflected in web pages, such as via specially crafted links or requests.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ydn-download/vulnerability/wordpress-download-downloads-plugin-1-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve documents this XSS vulnerability in the WordPress Download & Downloads plugin version 1.4.2 and provides relevant mitigation details for affected deployments.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/ydn-download/vulnerability/wordpress-download-downloads-plugin-1-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com