CVE-2025-23563
Published: 03 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23563 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Explore pages component in the mbyte Explore Pages WordPress plugin. This flaw impacts versions from an unspecified initial release through 1.01, as published on 2025-03-03.
Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction such as clicking a malicious link (UI:R). Exploitation changes the scope (S:C) and enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), resulting in a CVSS v3.1 base score of 7.1.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/explore-pages/vulnerability/wordpress-explore-pages-plugin-1-01-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the WordPress Explore Pages plugin version 1.01 and provides associated mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web app over the network via a crafted malicious link requiring user interaction to trigger arbitrary script execution in the browser.