CVE-2025-23739

CVE-2025-23739 is a reflected cross-site scripting (XSS) vulnerability stemming from improper neutralization of input during web page generation (CWE-79). It affects the WP Ultimate Reviews FREE WordPress plugin (wp-ultimate-reviews-free by jtibbles) in all versions up to and including 1.0.2.

The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable remotely over the network with low attack complexity and no authentication privileges required, though user interaction is necessary. Attackers can craft malicious payloads delivered via reflected inputs, tricking authenticated or unauthenticated users into triggering the XSS—typically by visiting a maliciously crafted URL. This enables arbitrary JavaScript execution in the victim's browser context, with a changed scope allowing potential low-level impacts on confidentiality, integrity, and availability, such as session hijacking or data exfiltration from the site.

Patchstack's advisory (https://patchstack.com/database/Wordpress/Plugin/wp-ultimate-reviews-free/vulnerability/wordpress-wp-ultimate-reviews-free-plugin-1-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) details the reflected XSS issue in WP Ultimate Reviews FREE version 1.0.2, recommending that site administrators update to a patched version of the plugin if available or disable it until remediation.