CVE-2025-23737
Published: 24 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23737 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the thobian Network-Favorites WordPress plugin. This flaw affects Network-Favorites versions from n/a through 1.1.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can leverage reflected XSS by tricking users into interacting with malicious input, such as via crafted links or payloads reflected in web page generation, potentially leading to low-level impacts on confidentiality, integrity, and availability within a changed security scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/network-favorites/vulnerability/wordpress-network-favorites-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) details this Reflected XSS issue in the WordPress Network-Favorites plugin version 1.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of web application vulnerabilities (T1190) and user execution via crafted malicious links (T1204.001).