CVE-2025-23721
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23721 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Mobigate WordPress plugin (mobigatevn) from cloudvn. The issue impacts all versions of the plugin from n/a through 1.0.3 inclusive, as disclosed on March 3, 2025.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable remotely over the network by unauthenticated attackers requiring low attack complexity and user interaction, such as clicking a malicious link. Successful exploitation changes the security scope to cross-instance, enabling low-level impacts on confidentiality, integrity, and availability, such as injecting scripts into reflected user input to steal session cookies or perform other client-side actions in the victim's browser.
Patchstack provides details on the vulnerability in their database entry at https://patchstack.com/database/Wordpress/Plugin/mobigatevn/vulnerability/wordpress-mobigate-plugin-1-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which security practitioners should consult for recommended mitigations, such as updating the plugin or applying input sanitization.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary JavaScript execution in the victim's browser to perform actions such as stealing session cookies.