CVE-2025-23755

CVE-2025-23755 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the PAFacile WordPress plugin developed by tosend.it. The issue impacts all versions of PAFacile up to and including 2.6.1. It has a CVSS v3.1 base score of 7.1, reflecting network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts on confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely without authentication by crafting malicious input that is reflected in web page generation, tricking users into interacting with it, such as clicking a specially crafted link. Successful exploitation enables execution of arbitrary scripts in the victim's browser context, potentially leading to session hijacking, data theft, or further site compromise, though impacts remain low across affected triad categories due to the reflected nature and scope change.

Patchstack advisories document this vulnerability in their WordPress plugin database, highlighting the Reflected XSS in PAFacile version 2.6.1 and earlier, with mitigation guidance available via their vulnerability entry at https://patchstack.com/database/Wordpress/Plugin/pafacile/vulnerability/wordpress-pafacile-plugin-2-6-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.