CVE-2025-23543
Published: 26 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23543 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (CWE-79), in the fomopay FOMO Pay Chinese Payment Solution plugin (fomo-payment-gateway-for-woocommerce) for WordPress. The issue affects all versions from n/a through 2.0.4, allowing attackers to inject malicious scripts into web pages viewed by other users.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers require no privileges and can exploit it over the network with low attack complexity by tricking authenticated users into performing actions such as visiting a maliciously crafted URL. Exploitation leads to limited impacts on confidentiality, integrity, and availability within a changed security scope, such as session hijacking or data exfiltration from the victim's browser.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fomo-payment-gateway-for-woocommerce/vulnerability/wordpress-fomo-pay-chinese-payment-solution-plugin-2-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables crafted malicious URLs that execute scripts in victims' browsers upon visit (T1189 Drive-by Compromise and T1204.001 Malicious Link), directly facilitating session hijacking via cookie theft (T1539 Steal Web Session Cookie) as described.