CVE-2025-23603

High

Published: 22 January 2025

Published

22 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0035 57.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MohammadJafar Khajeh Group category creator group-category-creator allows Reflected XSS.This issue affects Group category creator: from n/a through <= 1.3.0.3.

Security Summary

CVE-2025-23603 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Group Category Creator WordPress plugin by MohammadJafar Khajeh. The issue affects the plugin from unknown initial versions through 1.3.0.3.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as following a malicious link. Any unauthenticated attacker can exploit it by crafting input that reflects malicious JavaScript payloads during web page generation, achieving arbitrary script execution in the victim's browser context with changed scope and low impacts on confidentiality, integrity, and availability.

The Patchstack advisory provides further details on this WordPress plugin vulnerability, accessible at https://patchstack.com/database/Wordpress/Plugin/group-category-creator/vulnerability/wordpress-group-category-creator-plugin-1-3-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/group-category-creator/vulnerability/wordpress-group-category-creator-plugin-1-3-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com