CVE-2025-23647

High

Published: 14 February 2025

Published

14 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0010 27.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ariagle WP-Clap wp-clap allows Reflected XSS.This issue affects WP-Clap: from n/a through <= 1.5.

Security Summary

CVE-2025-23647 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Ariagle WP-Clap WordPress plugin (wp-clap). Published on 2025-02-14, it affects all versions of WP-Clap from n/a through 1.5 inclusive. The issue stems from inadequate input sanitization during web page generation, enabling malicious script injection.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), but user interaction is needed (UI:R), such as clicking a malicious link. Successful exploitation changes scope (S:C) and allows low-impact effects on confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1. This typically enables arbitrary JavaScript execution in the victim's browser within the site's context.

The Patchstack advisory provides further details on this vulnerability in WP-Clap version 1.5 at https://patchstack.com/database/Wordpress/Plugin/wp-clap/vulnerability/wordpress-wp-clap-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should consult it for recommended mitigations, such as updating the plugin.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/wp-clap/vulnerability/wordpress-wp-clap-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com