CVE-2025-23601

CVE-2025-23601 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the Tab My Content WordPress plugin developed by patrice. The issue resides in the My Content tab-my-content component and impacts all versions from n/a through 1.0.0. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and scope change with low impacts on confidentiality, integrity, and availability. The vulnerability was published on 2025-01-22.

Attackers can exploit this Reflected XSS over the network without authentication by crafting malicious input that reflects unsanitized on the affected tab, tricking authenticated users into interacting via a malicious link or payload (e.g., phishing). Successful exploitation executes arbitrary JavaScript in the victim's browser context with changed scope, potentially leading to session hijacking, data theft, or further site compromise, though impacts remain low across confidentiality, integrity, and availability.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/tab-my-content/vulnerability/wordpress-tab-my-content-plugin-1-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the WordPress Tab My Content plugin version 1.0.0, recommending updates to patched versions where available or disabling the plugin until remediation.