CVE-2025-23585
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23585 is an improper neutralization of input during web page generation vulnerability, specifically a reflected cross-site scripting (XSS) issue classified under CWE-79, in the CantonBolo Goo.gl Url Shorter WordPress plugin (googl-url-shorter). This flaw affects all versions of the plugin from n/a through 1.0.1.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation over the network with low complexity, no required privileges, and user interaction. A remote unauthenticated attacker can craft a malicious URL containing an XSS payload and trick a targeted user, such as an authenticated WordPress administrator, into visiting it. Upon execution in the victim's browser, the attacker can achieve low impacts on confidentiality, integrity, and availability within a changed scope, potentially leading to theft of session cookies, account takeover, or further site compromise.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/googl-url-shorter/vulnerability/wordpress-goo-gl-url-shorter-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting the vulnerable web app over network) and T1059.007 (arbitrary JavaScript execution in victim's browser via crafted URL).