CVE-2025-23546
Published: 26 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23546 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin RDP inGroups+ (rdp-ingroups) by Robert D Payne. The issue affects all versions from n/a through 1.0.6. Published on 2025-03-26T15:15:57.993, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this remotely over the network with low complexity and no required privileges, but it necessitates user interaction such as clicking a malicious link or submitting crafted input. Successful exploitation reflects attacker-controlled scripts into the victim's browser context, enabling actions like session hijacking or data theft within the scope of the affected site, with low impacts to confidentiality, integrity, and availability due to the changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/rdp-ingroups/vulnerability/wordpress-rdp-ingroups-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on the vulnerability in the WordPress RDP inGroups+ plugin version 1.0.6.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of web applications (T1190) and execution of JavaScript in browser (T1059.007).