CVE-2025-23637

CVE-2025-23637 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin 新淘客WordPress插件 (wp-xintaoke) by fxy060608. This issue affects the plugin from unknown initial versions through 1.1.2, as published on 2025-03-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

A remote attacker requires no privileges and can exploit this over the network with low attack complexity by tricking an authenticated or unauthenticated site user into interacting with a maliciously crafted link or input that reflects executable script back in the browser. Successful exploitation changes the security scope, enabling limited impacts on confidentiality, integrity, and availability, such as potential session hijacking, data exfiltration from the victim's browser context, or site defacement visible to the user.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-xintaoke/vulnerability/wordpress-wordpress-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in wp-xintaoke version 1.1.2 and serves as a primary reference for affected installations. Practitioners should consult this and monitor for vendor patches or updates to versions beyond 1.1.2, alongside standard XSS mitigations like input sanitization and Content Security Policy enforcement.