CVE-2025-23718
Published: 03 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23718 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Mancx AskMe Widget (mancx-askme-widget) WordPress plugin. This issue affects all versions from n/a through 0.3 inclusive, as published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, but user interaction needed, with changed scope and low impacts on confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with malicious input, such as via a crafted link or request reflected in the web page, potentially leading to script execution in the victim's browser context.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/mancx-askme-widget/vulnerability/wordpress-mancx-askme-widget-plugin-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, document the vulnerability in the context of the WordPress plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability allows remote exploitation of a public-facing WordPress plugin via crafted links or requests that trigger arbitrary script execution in the victim's browser after user interaction.