CVE-2025-23650

High

Published: 14 February 2025

Published

14 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp Tidy.ro tidyro allows Reflected XSS.This issue affects Tidy.ro: from n/a through <= 1.3.

Security Summary

CVE-2025-23650 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Tidy.ro WordPress plugin developed by razvypp. This issue impacts all versions of the plugin from n/a through 1.3 inclusive, as published on 2025-02-14 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability enables remote attackers to exploit it over the network with low attack complexity and no privileges required, though user interaction is necessary. Exploitation involves injecting malicious scripts via reflected input, allowing attackers to execute code in the context of affected users' browsers and achieve low impacts on confidentiality, integrity, and availability with a changed scope.

Patchstack has documented this Reflected XSS vulnerability in their database entry for the WordPress Tidy.ro plugin version 1.3, providing details on the issue.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/tidyro/vulnerability/wordpress-tidy-ro-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com