Cyber Posture

CVE-2025-23733

High

Published: 23 January 2025

Published
23 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0018 38.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2025-23733 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the SC Simple Zazzle (sc-simple-zazzle) WordPress plugin developed by sayoko. This issue affects all versions of the plugin from n/a through 1.1.6 inclusive.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but reliant on user interaction. Remote attackers can leverage reflected XSS to execute arbitrary scripts in the context of a victim's browser, achieving low impacts on confidentiality, integrity, and availability with a changed scope.

Patchstack's advisory documents this Reflected XSS vulnerability specifically in SC Simple Zazzle plugin version 1.1.6 for WordPress, providing details on the issue for affected deployments.

Details

CWE(s)
CWE-79

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) to execute arbitrary JavaScript in the victim's browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References