CVE-2025-23590

High

Published: 03 February 2025

Published

03 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 12.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dezdy.com Dezdy dezdy-mcommerce allows Reflected XSS.This issue affects Dezdy: from n/a through <= 1.0.

Security Summary

CVE-2025-23590 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Dezdy dezdy-mcommerce WordPress plugin. The issue impacts Dezdy versions from n/a through 1.0 and was published on 2025-02-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can craft malicious links or inputs that, when processed by the plugin during web page generation, inject and execute arbitrary scripts in a victim's browser, potentially leading to limited impacts on confidentiality, integrity, and availability within a changed scope, such as session hijacking or data exfiltration.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/dezdy-mcommerce/vulnerability/wordpress-dezdy-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, provide further details on the vulnerability in the context of the WordPress Dezdy plugin.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/dezdy-mcommerce/vulnerability/wordpress-dezdy-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com