CVE-2025-23770
Published: 22 January 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23770 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Caspie Fast Tube WordPress plugin, specifically versions from n/a through 2.3.1. The issue was published on 2025-01-22T15:15:23.303 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no authentication privileges but relying on user interaction, such as visiting a maliciously crafted URL. Exploitation changes the security scope, allowing limited impacts on confidentiality, integrity, and availability, such as executing arbitrary scripts in the victim's browser context to potentially steal session cookies, deface pages, or perform other client-side attacks.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fast-tube/vulnerability/wordpress-fast-tube-plugin-2-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details this Reflected XSS vulnerability in Fast Tube version 2.3.1, providing information relevant to mitigation for WordPress environments.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability enables arbitrary script execution in the victim's browser context, directly facilitating browser session hijacking (T1185) and stealing web session cookies (T1539) as described in the CVE.