CVE-2025-23741
Published: 03 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-23741 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Notifications Center WordPress plugin by Florian Chaillou. The issue affects all versions of the notifications-center plugin from its initial release (n/a) through 1.5.2 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no required privileges, but it necessitates user interaction such as clicking a malicious link. Successful exploitation reflects attacker-controlled input as executable script in the victim's browser context, with a changed scope enabling potential impacts beyond the targeted user. This results in low confidentiality, integrity, and availability effects as scored.
The Patchstack advisory provides details on this WordPress plugin vulnerability, including assessment and recommended actions for mitigation, accessible at https://patchstack.com/database/Wordpress/Plugin/notifications-center/vulnerability/wordpress-notifications-center-plugin-1-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of Internet-facing web apps (T1190) to execute attacker-controlled scripts in victim browser (T1203).