CVE-2025-23786

High

Published: 14 February 2025

Published

14 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0010 26.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

Security Summary

CVE-2025-23786 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the DuoGeek Email to Download WordPress plugin. This issue affects all versions of the plugin from an unspecified initial release through 3.1.0. The vulnerability was published on 2025-02-14 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it necessitates user interaction, such as a victim clicking a malicious link containing the XSS payload. Upon successful exploitation, attackers achieve low impacts on confidentiality, integrity, and availability within a changed security scope, potentially allowing theft of session cookies, keystroke logging, or other client-side attacks against the interacting user.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/email-to-download/vulnerability/wordpress-email-to-download-plugin-3-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides further details on the vulnerability in the WordPress Email to Download plugin version 3.1.0.

Details

CWE(s): CWE-79

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1056.001 Keylogging Collection

Adversaries may log user keystrokes to intercept credentials as the user types them.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Reflected XSS in public-facing WordPress plugin enables remote exploitation via malicious links for user execution and phishing delivery, directly facilitating client-side attacks like keylogging and web session cookie theft/hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Plugin/email-to-download/vulnerability/wordpress-email-to-download-plugin-3-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com