CVE-2025-23688

CVE-2025-23688 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the Cobwebo URL Plugin (cobwebo-url) developed by editionskezzal for WordPress. The issue impacts all versions of the plugin from n/a through 1.0 inclusive. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low complexity, lack of required privileges, user interaction requirement, and scope change.

Attackers can exploit this vulnerability by crafting a malicious URL that incorporates reflected input, tricking authenticated or unauthenticated users into clicking or visiting it via social engineering, such as phishing emails or malicious links on external sites. No special privileges are needed (PR:N), and exploitation occurs over the network (AV:N) with low complexity (AC:L) but requires user interaction (UI:R). Successful exploitation executes arbitrary JavaScript in the victim's browser within the context of the WordPress site due to the changed scope (S:C), potentially leading to low-level impacts on confidentiality (e.g., session token theft), integrity (e.g., data tampering), and availability (e.g., denial of service).

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cobwebo-url/vulnerability/wordpress-cobwebo-url-plugin-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides detailed vulnerability information for the Cobwebo URL Plugin <=1.0, including guidance on mitigation for WordPress administrators.