CVE-2025-23646

CVE-2025-23646 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Matt Brooks Library Instruction Recorder (library-instruction-recorder) WordPress plugin. This issue affects all versions from n/a through 1.1.4. Published on 2025-02-14, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope.

Remote attackers without privileges can exploit this vulnerability over the network by tricking authenticated users into interacting with maliciously crafted inputs, such as links or forms that reflect unsanitized data back in the web page response. Successful exploitation executes arbitrary JavaScript in the victim's browser within the context of the affected site, potentially leading to limited impacts on confidentiality (e.g., session token theft), integrity (e.g., data modification), and availability.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/library-instruction-recorder/vulnerability/wordpress-library-instruction-recorder-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS in Library Instruction Recorder version 1.1.4, providing details for WordPress site administrators to assess and address exposure.