CVE-2025-23668

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0035 57.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

Security Summary

CVE-2025-23668 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the ChatGPT Open AI Images & Content for WooCommerce WordPress plugin (slug: glasses-for-woocommerce) in all versions from n/a through 2.2.0.

The vulnerability has a CVSS v3.1 base score of 7.1 (High), with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction needed (UI:R). A remote, unauthenticated attacker can exploit it by crafting a malicious payload in a link or input that, when processed by the plugin during web page generation, reflects and executes arbitrary JavaScript in the victim's browser context (S:C). This allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as session hijacking or data theft within the site's scope.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/glasses-for-woocommerce/vulnerability/wordpress-chatgpt-open-ai-images-content-for-woocommerce-plugin-2-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides further details on the vulnerability.

Details

CWE(s): CWE-79

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: The vulnerability affects a WooCommerce plugin ('ChatGPT Open AI Images & Content for WooCommerce') that integrates ChatGPT and OpenAI services for generating images and content, functioning as an AI assistant for e-commerce/enterprise use.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1555.003 Credentials from Web Browsers Credential Access

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

attack.mitre.org →

Why these techniques?

Reflected XSS in public-facing WooCommerce plugin enables exploitation of web applications (T1190), arbitrary JavaScript execution in victim browsers (T1059.007), stealing web session cookies (T1539), and extracting credentials from browsers (T1555.003).

References

https://patchstack.com/database/Wordpress/Plugin/glasses-for-woocommerce/vulnerability/wordpress-chatgpt-open-ai-images-content-for-woocommerce-plugin-2-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com