CVE-2025-23591

High

Published: 03 February 2025

Published

03 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 12.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blulogistics1 blu Logistics blu-logistics allows Reflected XSS.This issue affects blu Logistics: from n/a through <= 1.0.0.

Security Summary

CVE-2025-23591 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the blu Logistics WordPress plugin (also referenced as blulogistics1 blu-logistics). This issue impacts all versions of the plugin from n/a through 1.0.0 inclusive. The vulnerability was published on 2025-02-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, but user interaction needed, with changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by crafting malicious inputs that reflect back to users, such as via phishing links or manipulated requests, tricking authenticated users into executing scripts in their browsers within the site's context.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/blu-logistics/vulnerability/wordpress-blu-logistics-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/blu-logistics/vulnerability/wordpress-blu-logistics-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com