CVE-2025-23740
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23740 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Easy School Registration WordPress plugin developed by Zbynek Nedoma. The issue affects the easy-school-registration plugin from unknown initial versions through version 3.9.8 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as clicking a malicious link. The changed scope (S:C) enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), typically allowing execution of arbitrary scripts in the victim's browser context to steal session cookies, tokens, or perform other client-side actions on behalf of the user.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/easy-school-registration/vulnerability/wordpress-easy-school-registration-plugin-3-9-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this Reflected XSS vulnerability in the WordPress Easy School Registration plugin version 3.9.8, including recommended mitigations such as updating to a patched version if available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS allows arbitrary JS execution in victim's browser to steal session cookies (T1539) and hijack browser sessions (T1185).