CVE-2025-23571

High

Published: 14 February 2025

Published

14 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in makong Internal Links Generator internal-links-generator allows Reflected XSS.This issue affects Internal Links Generator: from n/a through <= 3.51.

Security Summary

CVE-2025-23571 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Internal Links Generator WordPress plugin (internal-links-generator), impacting all versions from n/a through 3.51 inclusive.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed, with changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated users—such as site administrators—into interacting with malicious input, such as a crafted link, to inject and execute arbitrary scripts in the victim's browser context.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/internal-links-generator/vulnerability/wordpress-internal-links-generator-plugin-3-51-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this Reflected XSS issue in Internal Links Generator version 3.51, providing details for WordPress site operators on detection and response.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/internal-links-generator/vulnerability/wordpress-internal-links-generator-plugin-3-51-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com