CVE-2025-23731

CVE-2025-23731 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Tax Report for WooCommerce WordPress plugin by infosoftplugin, with the issue present in all versions from n/a through 2.2 inclusive. The vulnerability was published on 2025-03-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers with no required privileges can exploit it over the network with low attack complexity, though it requires user interaction such as visiting a maliciously crafted link. Exploitation allows injection and execution of arbitrary JavaScript in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability, but with a changed scope that can affect other system resources.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tax-report-for-woocommerce/vulnerability/wordpress-tax-report-for-woocommerce-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which documents the Reflected XSS in Tax Report for WooCommerce version 2.2.