CVE-2025-23595

CVE-2025-23595 is an Improper Neutralization of Input During Web Page Generation vulnerability, manifesting as Reflected Cross-site Scripting (XSS) and classified under CWE-79. It affects the brainpulse Page Health-O-Meter WordPress plugin, specifically versions from n/a through 2.0 inclusive. The issue was published on 2025-03-03 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but relying on user interaction, such as a victim visiting a maliciously crafted URL. Exploitation reflects attacker-controlled input into the web page, enabling execution of arbitrary JavaScript in the victim's browser context with changed scope. This can result in limited impacts to confidentiality, integrity, and availability, such as session hijacking, data exfiltration, or defacement within the site's domain.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/page-health-o-meter/vulnerability/wordpress-page-health-o-meter-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in the Page Health-O-Meter plugin version 2.0 and provides details relevant to mitigation for affected WordPress installations.