CVE-2025-23593

CVE-2025-23593 is an Improper Neutralization of Input During Web Page Generation vulnerability, commonly known as Reflected Cross-Site Scripting (XSS) and classified under CWE-79. It affects the EmailPress WordPress plugin developed by kvvaradha, with the flaw present in all versions from n/a through 1.0 inclusive. The vulnerability was published on 2025-02-03 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, and potential for scope change.

The vulnerability can be exploited by remote attackers with no required privileges, targeting users who interact with maliciously crafted links or inputs reflected in the plugin's web page generation. Exploitation requires user interaction, such as clicking a link, but once triggered, it allows execution of arbitrary JavaScript in the victim's browser context. This can result in low-level impacts on confidentiality (e.g., limited data exposure), integrity (e.g., minor content manipulation), and availability (e.g., minor denial of service), potentially enabling theft of session cookies, phishing, or further site compromise within the changed scope.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/emailpress/vulnerability/wordpress-emailpress-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which documents the vulnerability in the WordPress EmailPress plugin version 1.0. Security practitioners should update to a patched version if available or disable the plugin until remediation.