CVE-2025-23742
Published: 14 February 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-23742 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Podamibe Twilio Private Call WordPress plugin (podamibe-twilio-private-call) developed by Podamibe Nepal. The issue affects all versions from n/a through 1.0.1, allowing attackers to inject malicious scripts via unsanitized input reflected in web page generation.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable remotely over the network by unauthenticated attackers with low attack complexity, provided they can induce user interaction, such as clicking a malicious link. Successful exploitation enables script execution in the context of the victim's browser, potentially compromising low levels of confidentiality, integrity, and availability while changing the scope to impact the client-side security context.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/podamibe-twilio-private-call/vulnerability/wordpress-podamibe-twilio-private-call-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS flaw in Podamibe Twilio Private Call plugin version 1.0.1, providing details for WordPress administrators to assess and address exposure in affected installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS requires crafting a malicious link that triggers arbitrary script execution upon user click, directly enabling user execution via malicious link and spearphishing link delivery.