CVE-2025-23760

CVE-2025-23760 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Alex Volkov Chatter WordPress plugin. This issue affects Chatter versions from n/a through 1.0.1. The vulnerability was published on 2025-01-16 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though it requires user interaction. Exploitation typically involves tricking a user, such as a site administrator, into performing an action that leads to stored malicious input, enabling XSS execution when affected pages are viewed. This results in low impacts on confidentiality, integrity, and availability, but with a changed scope that elevates the overall severity.

The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/chatter/vulnerability/wordpress-chatter-plugin-1-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve details the CSRF-to-Stored XSS vector in Chatter version 1.0.1 and serves as a primary reference for mitigation guidance.