Cyber Posture

CVE-2025-23730

High

Published: 23 January 2025

Published
23 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0019 40.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

An adversary may rely upon a user clicking a malicious link in order to gain execution.

Security Summary

CVE-2025-23730 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the FLX Dashboard Groups WordPress plugin (flx-dashboard-groups). The issue impacts all versions from n/a through 0.0.7 and was published on 2025-01-23.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited remotely over the network by unauthenticated attackers requiring low complexity and user interaction, such as clicking a malicious link. Successful exploitation enables script execution in the context of the victim's browser, potentially compromising low levels of confidentiality, integrity, and availability due to the changed scope.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/flx-dashboard-groups/vulnerability/wordpress-flx-dashboard-groups-plugin-0-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-79

MITRE ATT&CK Enterprise Techniques

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
Why these techniques?

Reflected XSS enables arbitrary JavaScript execution in the victim's browser context upon clicking a crafted malicious link, directly facilitating T1059.007 (JavaScript) and T1204.001 (Malicious Link).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References