CVE-2025-23674
Published: 22 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andygauk Bit.ly linker bitly-linker allows Reflected XSS.This issue affects Bit.ly linker: from n/a through <= 1.1.
Security Summary
CVE-2025-23674 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Bit.ly linker WordPress plugin by andygauk. This issue affects all versions of the bitly-linker plugin up to and including 1.1.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but needing user interaction such as clicking a malicious link. Any unauthenticated attacker can craft a malicious payload reflected in the plugin's web page generation, achieving arbitrary script execution in the victim's browser context with changed scope and low impacts to confidentiality, integrity, and availability.
The Patchstack advisory details this Reflected XSS vulnerability in the WordPress Bit.ly linker plugin version 1.1, providing vulnerability assessment and likely patch information in its database entry.
Details
- CWE(s)