CVE-2025-23619
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23619 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Catch Duplicate Switcher WordPress plugin developed by Catch Themes. The issue affects the plugin from unspecified initial versions through version 2.0 inclusive. Published on March 3, 2025, it carries a CVSS v3.1 base score of 7.1.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as clicking a malicious link. The changed scope (S:C) enables execution of arbitrary JavaScript in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). Potential outcomes include session hijacking, data theft, or phishing within the affected site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/catch-duplicate-switcher/vulnerability/wordpress-catch-duplicate-switcher-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability specific to Catch Duplicate Switcher version 2.0.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS is exploited by sending a malicious link (T1204.001) that triggers arbitrary JS execution in the browser; this directly enables session hijacking via cookie theft (T1539) as explicitly noted in the CVE description.