CVE-2025-23789
Published: 14 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23789 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the WordPress plugin "URL Shortener | Conversion Tracking | AB Testing | WooCommerce" by tahminajannat, also referenced in connection with easy-broken-link-checker, in all versions from n/a through 9.0.2. The vulnerability was published on 2025-02-14.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the issue is exploitable remotely over the network by unauthenticated attackers with low attack complexity, though it requires user interaction such as clicking a malicious link. Successful exploitation allows reflected XSS, resulting in low impacts to confidentiality, integrity, and availability, but with changed scope that could affect other users or resources.
The Patchstack advisory documents this reflected XSS vulnerability specifically in version 9.0.2 of the WordPress URL Shortener WooCommerce plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications via crafted malicious links.