CVE-2025-23580

High

Published: 21 January 2025

Published

21 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0019 40.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matthew BizLibrary bizlibrary allows Reflected XSS.This issue affects BizLibrary: from n/a through <= 1.1.

Security Summary

CVE-2025-23580 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the BizLibrary WordPress plugin by Matthew BizLibrary. This issue affects BizLibrary versions from n/a through 1.1 inclusive. The vulnerability was published on 2025-01-21 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as clicking a malicious link. Exploitation reflects attacker-controlled input into the web page, enabling script execution in the victim's browser with a changed scope (S:C). This can result in low-level impacts on confidentiality, integrity, and availability, such as session hijacking or data theft within the site's context.

The Patchstack advisory provides further details on this Reflected XSS vulnerability in the WordPress BizLibrary plugin version 1.1, available at https://patchstack.com/database/Wordpress/Plugin/bizlibrary/vulnerability/wordpress-bizlibrary-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/bizlibrary/vulnerability/wordpress-bizlibrary-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com