CVE-2025-23687

High

Published: 27 February 2025

Published

27 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0013 32.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in simonhunter Woo Store Mode woo-store-mode allows Reflected XSS.This issue affects Woo Store Mode: from n/a through <= 1.0.1.

Security Summary

CVE-2025-23687 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Woo Store Mode WordPress plugin (woo-store-mode) developed by simonhunter, impacting all versions from n/a through 1.0.1.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as visiting a malicious link. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with crafted input reflected in web pages, achieving arbitrary script execution in the victim's browser context with changed scope and low impacts to confidentiality, integrity, and availability.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/woo-store-mode/vulnerability/wordpress-woo-store-mode-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS issue in Woo Store Mode plugin version 1.0.1 and prior, recommending mitigation through updating to a patched version beyond 1.0.1.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/woo-store-mode/vulnerability/wordpress-woo-store-mode-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com