CVE-2025-23657
Published: 14 February 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RusAlex WordPress-to-candidate for Salesforce CRM salesforce-wordpress-to-candidate allows Reflected XSS.This issue affects WordPress-to-candidate for Salesforce CRM: from n/a through <= 1.0.1.
Security Summary
CVE-2025-23657 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the RusAlex WordPress-to-candidate for Salesforce CRM plugin (salesforce-wordpress-to-candidate). This issue impacts all versions from n/a through 1.0.1 and was published on 2025-02-14.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Any unauthenticated attacker can deliver malicious input that reflects back to victims, potentially executing scripts in their browsers within the context of the affected site and changing the scope of impact to achieve low-level effects on confidentiality, integrity, and availability.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/salesforce-wordpress-to-candidate/vulnerability/wordpress-wordpress-to-candidate-for-salesforce-crm-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in WordPress-to-candidate for Salesforce CRM plugin version 1.0.1.
Details
- CWE(s)