CVE-2025-23565
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23565 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Wibstats WordPress plugin (wibstats-statistics-for-wordpress-mu) by Chris Taylor, impacting all versions from n/a through 0.5.5 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Remote attackers require no privileges and can exploit it over the network with low attack complexity, though user interaction is needed, such as a victim clicking a malicious link or visiting a crafted page. Exploitation allows script execution in the victim's browser context, potentially leading to low-level impacts on confidentiality (e.g., session theft), integrity (e.g., data tampering), and availability, with the attack scope expanding beyond the vulnerable component.
The Patchstack advisory provides details on this vulnerability, including mitigation guidance, accessible at https://patchstack.com/database/Wordpress/Plugin/wibstats-statistics-for-wordpress-mu/vulnerability/wordpress-wibstats-plugin-0-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in the public-facing WordPress plugin directly enables exploitation of the web application (T1190) to execute arbitrary JavaScript in the victim's browser context (T1059.007).