CVE-2025-23753
Published: 03 March 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-23753 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the digireturn DN Sitemap Control (dn-sitemap-control) WordPress plugin. This issue affects all versions from n/a through 1.0.6, as published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction. Remote attackers can exploit it by tricking authenticated users—such as site administrators—into interacting with malicious input reflected in web pages generated by the plugin, potentially leading to limited impacts on confidentiality, integrity, and availability within a changed scope.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/dn-sitemap-control/vulnerability/wordpress-dn-sitemap-control-plugin-1-0-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS in DN Sitemap Control version 1.0.6 and provides vulnerability information for mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS allows execution of arbitrary JS in victim's browser when a crafted URL is visited; this directly enables stealing web session cookies (T1539) and is typically delivered/exploited via spearphishing links (T1566.002) to trick authenticated users like admins.