CVE-2025-23587
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23587 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin all-in-one-box-login (also referred to as all-in-one-login) developed by Ashek Al Mahmud. The issue impacts all versions of the plugin from n/a through <= 2.0.1. It was published on 2025-03-03T14:15:43.437 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity by crafting malicious input that is reflected and executed in a victim's browser upon user interaction, such as clicking a specially crafted link. Exploitation requires the victim to interact with the malicious payload, after which the attacker can achieve low impacts on confidentiality, integrity, and availability in a changed scope, potentially leading to session token theft or other client-side script execution within the context of the affected site.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/all-in-one-login/vulnerability/wordpress-all-in-one-box-login-plugin-2-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables crafting malicious links that trigger client-side script execution upon user click (T1204.001) and directly supports stealing web session cookies via injected JavaScript as described.