CVE-2025-23570

CVE-2025-23570 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WP Social Links WordPress plugin developed by Mitchell Bundy (wp-social-links). The issue impacts all versions from n/a through 0.3.1. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers (PR:N) can exploit this reflected XSS over the network (AV:N) by crafting malicious links or inputs that, when interacted with by a user (UI:R), inject and execute arbitrary scripts in the victim's browser context due to insufficient input sanitization during web page generation. Successful exploitation enables low-level impacts such as limited data exfiltration (e.g., session tokens), minor page modifications, or restricted denial of service, amplified by the changed scope (S:C) to affect the site's security context.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-social-links/vulnerability/wordpress-wp-social-links-plugin-0-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability and recommends updating the WP Social Links plugin to a version beyond 0.3.1, where the issue is addressed.