CVE-2025-23787
Published: 14 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23787 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Foxskav Easy Bet (easy-bet) WordPress plugin. This issue affects Easy Bet versions from an unspecified starting point through 1.0.7. The vulnerability was published on 2025-02-14 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Successful exploitation enables script execution in the context of the victim's browser with changed scope, resulting in low impacts to confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/easy-bet/vulnerability/wordpress-easy-bet-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the reflected XSS vulnerability in the WordPress Easy Bet plugin version 1.0.7.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS requires user interaction via a crafted malicious link to trigger arbitrary JavaScript execution in the victim's browser, directly enabling T1204.001 (Malicious Link) for user execution and T1059.007 (JavaScript) for scripting.