CVE-2025-23638
Published: 26 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23638 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Frontend Post Submission WordPress plugin by Umesh Ghimire, impacting all versions from n/a through 1.0 inclusive. Published on 2025-03-26T15:15:58.940, the vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Successful exploitation injects scripts into reflected user input on web pages, allowing limited impacts on confidentiality, integrity, and availability while changing scope to potentially affect other users or resources.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/frontend-post-submission/vulnerability/wordpress-frontend-post-submission-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this Reflected XSS issue in the Frontend Post Submission plugin version 1.0 for mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and execution of arbitrary JavaScript in the victim's browser (T1059.007).