CVE-2025-23604

CVE-2025-23604 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Rezdy Reloaded WordPress plugin by Maeve Lander. This issue affects all versions of the reloaded-rezdy plugin from n/a through 1.0.1 inclusive, as published on 2025-01-22 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers (PR:N) with network access can exploit this stored XSS vulnerability through low-complexity attacks requiring user interaction, such as victims viewing affected web pages. Malicious input injected by the attacker is stored and improperly neutralized during page generation, enabling script execution in the browser context of other users and expanding scope to compromise low levels of confidentiality, integrity, and availability.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/reloaded-rezdy/vulnerability/wordpress-rezdy-reloaded-plugin-1-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in this WordPress plugin; practitioners should consult it for specific mitigation steps, such as applying available patches or updates beyond version 1.0.1.