CVE-2025-23555
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23555 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Ui Slider Filter By Price WordPress plugin by chenyenming. The issue affects all versions of the plugin from n/a through 1.1 inclusive. Published on 2025-03-03T14:15:41.040, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it necessitates user interaction such as clicking a malicious link or submitting crafted input. Successful exploitation enables reflected XSS, allowing execution of arbitrary scripts in the victim's browser context with changed scope, potentially compromising low levels of confidentiality, integrity, and availability for the affected site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ui-slider-filter-by-price/vulnerability/wordpress-ui-slider-filter-by-price-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this vulnerability in the Ui Slider Filter By Price WordPress plugin version 1.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of web application (T1190) and arbitrary JavaScript execution in victim browser (T1059.007).