CVE-2025-23750
Published: 14 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23750 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Custom Widget Creator WordPress plugin by devbunchuk. The issue affects the custom-widget-creator plugin from its initial release through version 1.0.5.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed, with changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted input, such as a specially crafted link or request, leading to execution of arbitrary scripts in the victim's browser context.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-widget-creator/vulnerability/wordpress-custom-widget-creator-plugin-1-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of the web application for initial access (T1190) and arbitrary JavaScript execution in the victim's browser (T1059.007).