CVE-2025-23681

CVE-2025-23681 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the REDIRECTION PLUS WordPress plugin by tahminajannat (redirection-plus), impacting all versions from its initial release through 2.0.0. The vulnerability was published on 2025-01-22.

The issue carries a CVSS v3.1 base score of 7.1 (High) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Remote attackers require no privileges and can exploit it over the network with low attack complexity by tricking authenticated users into interacting with malicious input, such as via a crafted link or request reflected in the web page. Exploitation changes the security scope, allowing limited impacts on confidentiality, integrity, and availability, such as executing scripts in the victim's browser context to steal session cookies or perform other client-side actions.

Patchstack provides detailed advisory information on this vulnerability, including analysis specific to the WordPress REDIRECTION PLUS plugin version 2.0.0, accessible at https://patchstack.com/database/Wordpress/Plugin/redirection-plus/vulnerability/wordpress-redirection-plus-plugin-2-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.