CVE-2025-23732
Published: 22 January 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23732 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Easy Filtering (easy-filtering) by franciscopalacios. This issue affects all versions of the plugin from n/a through 2.5.0 inclusive. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-01-22T15:15:22.640.
The vulnerability can be exploited by remote attackers with network access, requiring low attack complexity, no privileges, and user interaction such as clicking a malicious link. Exploitation results in reflected XSS within a changed security scope, enabling limited impacts on confidentiality, integrity, and availability, such as executing scripts in the victim's browser context to steal session data or perform unauthorized actions on the affected site.
Patchstack advisories document this reflected XSS vulnerability specifically in Easy Filtering version 2.5.0 for WordPress, highlighting the issue in their vulnerability database. Mitigation requires updating the plugin to a version beyond 2.5.0.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing application) via crafted malicious links and facilitates T1539 (steal web session cookie) through browser script execution for session data theft.