CVE-2025-23788
Published: 14 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23788 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Easy Filter WordPress plugin by Roni Saha. The issue impacts all versions from n/a through 1.10 inclusive. Published on 2025-02-14T13:15:47.143, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated network-based attacker can exploit this vulnerability by crafting a malicious URL or input that reflects unsanitized user input back into the web page. Exploitation requires user interaction, such as a victim clicking a phishing link or visiting a malicious site while authenticated to the affected WordPress site. Upon success, the attacker achieves arbitrary script execution in the victim's browser context, with changed scope enabling low impacts to confidentiality (e.g., session data exposure), integrity (e.g., data manipulation), and availability.
The Patchstack advisory provides details on this Reflected XSS vulnerability in the WordPress Easy Filter plugin version 1.10, available at https://patchstack.com/database/Wordpress/Plugin/easy-filter/vulnerability/wordpress-easy-filter-plugin-1-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should consult it for recommended mitigations, such as updating the plugin beyond version 1.10 if a patched release exists.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting the vulnerable web app via malicious URL) and T1059.007 (arbitrary JavaScript execution in browser context).