CVE-2025-23699

CVE-2025-23699 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Event Countdown Timer Plugin by TechMix (event-countdown-timer) for WordPress. The issue impacts all versions from n/a through 1.4 inclusive. Published on 2025-01-16T20:15:45.060, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers accessible over the network can exploit this with low attack complexity by tricking users into performing an action, such as visiting a maliciously crafted URL. Exploitation enables reflected XSS, where attacker-controlled input is reflected unsanitized in the web page, allowing script execution in the victim's browser context. This achieves low impacts to confidentiality (e.g., limited data exposure), integrity (e.g., minor modifications), and availability (e.g., minor disruptions), with a changed scope due to cross-context execution.

The Patchstack advisory provides details on this vulnerability in the Event Countdown Timer plugin version 1.4; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/event-countdown-timer/vulnerability/wordpress-event-countdown-timer-plugin-by-techmix-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation guidance and patch information.