CVE-2025-23631

CVE-2025-23631 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Sarah Lewis Content Planner WordPress plugin (content-planner). This issue affects the plugin from unknown initial versions (n/a) through version 1.0 inclusive. The vulnerability was published on 2025-01-22 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change potential.

Attackers can exploit this Reflected XSS remotely over the network with low attack complexity and no privileges required, though it necessitates user interaction, such as visiting a maliciously crafted link or page. No authentication is needed, making it accessible to unauthenticated remote attackers. Successful exploitation enables limited impacts on confidentiality, integrity, and availability (low ratings across all), but the changed scope (S:C) allows effects to propagate beyond the vulnerable component, potentially compromising other users' sessions or linked applications via injected scripts.

The primary advisory from Patchstack, available at https://patchstack.com/database/Wordpress/Plugin/content-planner/vulnerability/wordpress-content-planner-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, documents the Reflected XSS in Content Planner version 1.0 and provides details on the vulnerability for WordPress environments. Security practitioners should review this reference for specific patch availability, workaround recommendations, and collection status updates.