CVE-2025-23553
Published: 03 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-23553 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Userbase Access Control WordPress plugin developed by David Cramer. The plugin, known as userbase-access-control, is vulnerable in all versions up to and including 1.0, allowing attackers to inject malicious scripts into web pages generated by the plugin.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low complexity, no privileges required, but user interaction is needed. Remote unauthenticated attackers can craft malicious payloads delivered via reflected inputs, such as URLs, tricking victims into interacting with them (e.g., clicking a link). Successful exploitation executes arbitrary JavaScript in the victim's browser context with changed scope, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking or data theft.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/userbase-access-control/vulnerability/wordpress-userbase-access-control-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on the vulnerability, including assessment and recommended mitigations for WordPress site administrators.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser via malicious URL payloads (T1059.007) and directly facilitates browser session hijacking or data theft as noted in the impacts (T1185).