CVE-2025-23632
Published: 26 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-23632 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Rhizome Networks CG Button (content-glass-button) WordPress plugin. This issue affects CG Button versions from an unspecified initial release through 1.0.5.6. The vulnerability was published on 2025-03-26 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link. Exploitation changes the scope and enables limited impacts on confidentiality, integrity, and availability, typically allowing execution of arbitrary scripts in the victim's browser context, such as session hijacking or data theft from the affected site.
Patchstack documents this as a Reflected XSS vulnerability in the WordPress CG Button plugin version 1.0.5.6, with details available at https://patchstack.com/database/Wordpress/Plugin/content-glass-button/vulnerability/wordpress-cg-button-plugin-1-0-5-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should consult this advisory for recommended mitigations, such as plugin updates if available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in the WordPress plugin allows arbitrary JavaScript execution in the victim's browser via crafted malicious links (T1204.001, T1059.007), directly enabling session hijacking and data theft (T1185).