CVE-2025-23666
Published: 26 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23666 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Management-screen-droptiles component of the cxc-sawa software. This issue impacts all versions from n/a through 1.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts to confidentiality, integrity, and availability.
Remote attackers without privileges can exploit this vulnerability by crafting malicious input that reflects unsanitized in web page generation, tricking users—typically those with access to the management screen, such as administrators—into interacting via a malicious link or page. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially allowing session hijacking, data theft, or minor disruptions, though impacts remain low due to scope change and interaction requirements.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cxc-sawa/vulnerability/wordpress-management-screen-droptiles-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which covers the WordPress plugin context and vulnerability specifics.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the browser (T1203 Exploitation for Client Execution) and directly facilitates session hijacking (T1185) and stealing web session cookies (T1539) as explicitly noted in the vulnerability impacts and attack vector via malicious links.