CVE-2025-23751
Published: 14 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23751 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Think201 Data Dash plugin (data-dash) for WordPress. This issue affects all versions from n/a through 1.2.3, as published on 2025-02-14.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no privileges required, but user interaction needed. Remote attackers can craft malicious payloads delivered via reflected inputs, tricking authenticated users (such as site administrators) into triggering the XSS through actions like visiting a malicious link, potentially leading to limited impacts on confidentiality, integrity, and availability with a changed scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/data-dash/vulnerability/wordpress-data-dash-plugin-1-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability specifically in Data Dash plugin version 1.2.3 for WordPress.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing app via crafted inputs) and is triggered via T1204.001 (user visiting malicious link to execute payload).