CVE-2025-23725

CVE-2025-23725 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (CWE-79), in the pshikli Accessibility Task Manager WordPress plugin (accessibility-task-manager). This issue affects all versions from n/a through 1.2.1. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and cross-origin scope change with low impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this Reflected XSS vulnerability remotely by crafting malicious inputs that are reflected in dynamically generated web pages. Exploitation requires tricking a user into interacting with a malicious link or payload (UI:R), such as via phishing, leading to arbitrary script execution in the victim's browser context. This enables limited theft of sensitive data (C:L), modification of page content (I:L), or disruption of services (A:L), amplified by the scope change to cross-origin (S:C).

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/accessibility-task-manager/vulnerability/wordpress-accessibility-task-manager-plugin-1-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability specifically in the WordPress Accessibility Task Manager plugin up to version 1.2.1 and provides details on detection and mitigation, including recommendations for plugin updates or hardening measures.