CVE-2025-23752

CVE-2025-23752 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CGD Arrange Terms (shopp-arrange) WordPress plugin by Clifton Griffin. The issue affects all versions from n/a through 1.1.3, allowing malicious input to be reflected without proper sanitization during web page generation.

A remote attacker with network access can exploit this vulnerability without authentication privileges by crafting a malicious URL that requires user interaction, such as clicking a link. With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), exploitation is of low complexity and changes the scope, enabling low-level impacts on confidentiality, integrity, and availability in the victim's browser context, such as script execution leading to session hijacking or data theft.

The Patchstack advisory provides further details on this WordPress plugin vulnerability, including assessment and potential mitigation steps, accessible at https://patchstack.com/database/Wordpress/Plugin/shopp-arrange/vulnerability/wordpress-cgd-arrange-terms-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.