CVE-2025-23635

CVE-2025-23635 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the ePermissions WordPress plugin developed by mobde3net. The issue affects ePermissions versions from n/a through 1.2 inclusive, allowing malicious input to be reflected without proper sanitization during web page generation.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited remotely over the network with low attack complexity and no required privileges, though it needs user interaction such as clicking a malicious link. Attackers can deliver reflected XSS payloads via crafted inputs, executing arbitrary scripts in the context of a victim's browser when accessing the affected site, potentially leading to low impacts on confidentiality, integrity, and availability, such as limited data exposure or site defacement.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/epermissions/vulnerability/wordpress-epermissions-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in ePermissions version 1.2, providing details for WordPress site administrators on identification and response.