CVE-2025-23670

CVE-2025-23670 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin "4-author-cheer-up-donate" by montashov. This issue impacts all versions of the plugin from n/a through 1.3 inclusive, as published on 2025-03-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can exploit it by tricking users, such as site administrators, into interacting with maliciously crafted links or inputs reflected in web pages generated by the plugin. Successful exploitation enables arbitrary JavaScript execution in the victim's browser context with changed scope, resulting in low impacts to confidentiality, integrity, and availability, such as session hijacking or data theft.

Patchstack has documented the vulnerability, including details on the affected WordPress plugin version 1.3, with advisories available at https://patchstack.com/database/Wordpress/Plugin/4-author-cheer-up-donate/vulnerability/wordpress-4-author-cheer-up-donate-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should update to a patched version if available or disable the plugin on affected sites.