CVE-2025-23709
Published: 22 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23709 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the kiroro Formatted post WordPress plugin. This issue affects all versions of the plugin from n/a through 1.01. The vulnerability was published on 2025-01-22 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity, requiring user interaction such as clicking a malicious link. Exploitation changes the scope to the site's context, enabling arbitrary script execution in the victim's browser. This can result in low-level impacts to confidentiality, integrity, and availability, such as session hijacking or data theft within the site's domain.
Patchstack's advisory documents this Reflected XSS vulnerability specifically in the WordPress Formatted Post plugin version 1.01, providing details available at https://patchstack.com/database/Wordpress/Plugin/formatted-post/vulnerability/wordpress-formatted-post-plugin-1-01-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser, directly facilitating Browser Session Hijacking (T1185) via injected scripts and JavaScript interpreter abuse (T1059.007).