CVE-2025-23556

CVE-2025-23556 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Push Envoy Notifications WordPress plugin by netbitsolutions. The flaw affects all versions from n/a through 1.0.0 and was published on 2025-03-03T14:15:41.180 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as visiting a maliciously crafted link or page. Upon successful exploitation, the changed scope (S:C) allows injected scripts to execute in the victim's browser context, enabling low-level impacts on confidentiality, integrity, and availability, such as session token theft, phishing, or minor defacement within the affected user's session.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/push-envoy/vulnerability/wordpress-push-envoy-notifications-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability, including recommended mitigations such as updating to a patched version if available or applying input sanitization workarounds.