Cyber Posture

CVE-2025-23746

High

Published: 22 January 2025

Published
22 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0011 29.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

An adversary may rely upon a user clicking a malicious link in order to gain execution.

Security Summary

CVE-2025-23746 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-Site Scripting (XSS) as classified under CWE-79, in the Edem CMC MIGRATE (cmc-migrate) WordPress plugin. This issue affects versions from n/a through <= 0.0.3. Published on 2025-01-22T15:15:22.783, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated remote attacker with network access can exploit this vulnerability by crafting malicious input that is reflected without proper neutralization during web page generation. Exploitation requires low complexity and user interaction, such as a victim clicking a malicious link. Upon success, the attacker achieves a changed scope with low impacts on confidentiality, integrity, and availability, typically allowing arbitrary JavaScript execution in the victim's browser context.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cmc-migrate/vulnerability/wordpress-cmc-migrate-plugin-0-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability.

Details

CWE(s)
CWE-79

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
Why these techniques?

Reflected XSS in public-facing WordPress plugin enables T1190 (exploit public-facing app) via malicious link (T1204.001) to execute arbitrary JavaScript (T1059.007) in browser.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References