CVE-2025-23689

High

Published: 16 January 2025

Published

16 January 2025

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0021 42.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Poco Blogger Image Import allows Stored XSS.This issue affects Blogger Image Import: from 2.1 through n/a.

Security Summary

CVE-2025-23689 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Blogger Image Import WordPress plugin, also referred to as Poco Blogger Image Import. The issue affects versions from 2.1 through all subsequent releases.

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and user interaction required, achieving a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Exploitation involves CSRF leading to stored XSS, allowing attackers to inject malicious scripts that execute in the context of other users viewing affected pages.

The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/blogger-image-import/vulnerability/wordpress-blogger-image-import-plugin-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve documents the CSRF-to-stored XSS vulnerability in the Blogger Image Import plugin version 2.1 and provides details on mitigation.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/wordpress/plugin/blogger-image-import/vulnerability/wordpress-blogger-image-import-plugin-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com