CVE-2025-23726
Published: 03 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-23726 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the ComparePress WordPress plugin developed by thebloghouse. This issue affects ComparePress versions from n/a through 2.0.8 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, user interaction needed, and changed scope with low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted input, such as a specially prepared link or form submission, leading to arbitrary script execution in the victim's browser within the site's context.
The Patchstack advisory provides details on this vulnerability in the ComparePress plugin version 2.0.8 at https://patchstack.com/database/Wordpress/Plugin/comparepress/vulnerability/wordpress-comparepress-plugin-2-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates browser session hijacking through arbitrary script execution in the victim's browser (T1185).