CVE-2025-23609

High

Published: 22 January 2025

Published

22 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Helle1 Tagesteller tagesteller allows Reflected XSS.This issue affects Tagesteller: from n/a through <= v.1.1.

Security Summary

CVE-2025-23609 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Helle1 Tagesteller (tagesteller) WordPress plugin. This issue affects Tagesteller versions from n/a through 1.1 inclusive. The vulnerability was published on 2025-01-22 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

A network-based attacker requires no privileges and can exploit this with low attack complexity by tricking an authenticated user into performing an action, such as interacting with a maliciously crafted request. Exploitation enables limited impacts on confidentiality, integrity, and availability in a context with changed scope, allowing potential execution of arbitrary scripts in the victim's browser.

The primary advisory from Patchstack documents this reflected XSS vulnerability specifically in the WordPress Tagesteller plugin up to version 1.1, available at https://patchstack.com/database/Wordpress/Plugin/tagesteller/vulnerability/wordpress-tagesteller-plugin-v-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/tagesteller/vulnerability/wordpress-tagesteller-plugin-v-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com