CVE-2025-23616

CVE-2025-23616 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Canalplan-AC WordPress plugin by Steve Canalplan. This issue affects Canalplan-AC versions from n/a through 5.31 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change despite requiring user interaction.

Attackers can exploit this remotely over the network without authentication or privileges, using low-complexity techniques that require user interaction, such as tricking a victim into visiting a maliciously crafted URL on a vulnerable site. Successful exploitation enables reflected XSS, where attacker-controlled input is improperly reflected in the web page, allowing script injection. This yields low impacts on confidentiality (e.g., limited data exposure), integrity (e.g., minor tampering), and availability, but the changed scope (S:C) amplifies potential effects in cross-origin contexts.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/canalplan-ac/vulnerability/wordpress-canalplan-plugin-5-31-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this reflected XSS vulnerability in the Canalplan-AC WordPress plugin at version 5.31, serving as a key reference for mitigation details.