CVE-2025-23706
Published: 22 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in milordk Jet Skinner for BuddyPress jet-skinner-for-buddypress allows Reflected XSS.This issue affects Jet Skinner for BuddyPress: from n/a through <= 1.2.5.
Security Summary
CVE-2025-23706 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Jet Skinner for BuddyPress WordPress plugin (jet-skinner-for-buddypress), with the issue present in all versions from n/a through 1.2.5. The vulnerability was published on 2025-01-22T15:15:22.387 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Upon successful exploitation, adversaries achieve a changed scope (S:C), allowing arbitrary script execution in the victim's browser context, which can result in low-level impacts to confidentiality, integrity, and availability, such as session hijacking or data theft.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-skinner-for-buddypress/vulnerability/wordpress-jet-skinner-for-buddypress-plugin-1-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS vulnerability in Jet Skinner for BuddyPress version 1.2.5.
Details
- CWE(s)