CVE-2025-23633

CVE-2025-23633 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the WP Database Audit plugin (database-audit) developed by khanhtruong for WordPress, impacting all versions from n/a through 1.0 inclusive. Published on 2025-03-26, the issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting its potential for high severity due to network accessibility, low complexity, lack of required privileges, user interaction requirement, and changed scope.

Unauthenticated attackers accessible over the network can exploit this vulnerability by crafting malicious inputs that are reflected back in web pages without proper sanitization. Exploitation requires tricking a user—typically an authenticated WordPress user or administrator—into interacting with a malicious payload, such as clicking a specially crafted link. Successful attacks inject scripts into the victim's browser context, achieving low impacts on confidentiality (e.g., limited data exposure), integrity (e.g., minor tampering), and availability, amplified by the changed scope to affect the site's security context.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/database-audit/vulnerability/wordpress-wp-database-audit-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this Reflected XSS issue in WP Database Audit version 1.0. Security practitioners should review this reference for specific mitigation recommendations, including potential plugin updates or workarounds.