CVE-2025-23714
Published: 26 March 2025
Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Security Summary
CVE-2025-23714 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the podspod AppReview (appreview) WordPress plugin. The issue impacts all versions from an unspecified initial release through 0.2.9.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network with low attack complexity, requiring no privileges but user interaction such as clicking a malicious link. Any unauthenticated remote attacker can deliver crafted payloads reflected in web pages, potentially executing arbitrary scripts in the victim's browser context to achieve limited impacts on confidentiality, integrity, and availability within a changed security scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/appreview/vulnerability/wordpress-appreview-plugin-0-2-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability in AppReview plugin version 0.2.9, recommending mitigation through updating to a version beyond 0.2.9 where the issue is addressed.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS allows crafted malicious links to trigger arbitrary JavaScript execution in victims' browsers, directly enabling drive-by compromise of user systems.